diff --git a/CHANGELOG.md b/CHANGELOG.md index 77e69a9cd..53a8dd3d4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,20 @@ ## [Unreleased] +## [4.7.0] - 2020-12-17 + +* Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 and 2012 R2 DC STIG - Ver 3, Rel 1: [#784](https://github.com/microsoft/PowerStig/issues/784) +* Update PowerSTIG to successfully parse/apply Microsoft Windows 2012 and 2012 R2 MS STIG - Ver 3, Rel 1: [#785](https://github.com/microsoft/PowerStig/issues/785) +* Update PowerSTIG to successfully parse/apply Microsoft Windows 10 STIG - Ver 2, Rel 1: [#783](https://github.com/microsoft/PowerStig/issues/783) +* Update PowerSTIG to successfully parse/apply Microsoft Windows Defender Antivirus STIG - Ver 2, Rel 1: [#786](https://github.com/microsoft/PowerStig/issues/786) +* Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2016 STIG - Ver 2, Rel 1: [#782](https://github.com/microsoft/PowerStig/issues/782) +* Update PowerSTIG to successfully parse/apply Microsoft Windows Server 2019 STIG - Ver 2, Rel 1 [#787](https://github.com/microsoft/PowerStig/issues/787) +* Update PowerSTIG to successfully parse/apply Google Chrome V2R1: [#709](https://github.com/microsoft/PowerStig/issues/709) +* Update PowerSTIG to include LegacyId to assist in determining Legacy Vuln Ids with the new DISA standard: [#788](https://github.com/microsoft/PowerStig/issues/788) +* Update PowerSTIG to include LegacyId query via Get-StigRule function: [#800](https://github.com/microsoft/PowerStig/issues/800) +* Fixed: Update PowerSTIG to fix LegacyId logic: [#791](https://github.com/microsoft/PowerStig/issues/791) +* Fixed: Update PowerSTIG to correctly parse Windows Server 2019 DC - LDAP SecurityOptionRule: [#804](https://github.com/microsoft/PowerStig/issues/804) + ## [4.6.0] - 2020-12-01 * Provide Method to install DoD Root Certs for Server OS and Client OS: [#755](https://github.com/microsoft/PowerStig/issues/755) diff --git a/FILEHASH.md b/FILEHASH.md index f13c440fa..ff48b7228 100644 --- a/FILEHASH.md +++ b/FILEHASH.md @@ -1,4 +1,4 @@ -# PowerSTIG File Hashes : Module Version 4.6.0 +# PowerSTIG File Hashes : Module Version 4.7.0 Hashes for **PowerSTIG** files are listed in the following table: @@ -14,22 +14,24 @@ Hashes for **PowerSTIG** files are listed in the following table: | FireFox-All-4.28.xml | E84C9DB143EDA81131510607F0F667200BEF0950FF8E1FC4683C121489A8FCF5 | 38487 | | FireFox-All-4.29.org.default.xml | 9CA1F7AE74DDEB299A9B09F4259F1B12E2FD1BADED9CFBB89585D1428CF8C32F | 306 | | FireFox-All-4.29.xml | 83D5D4F59C81316455AAA18FFE207768E13C78CEBE91DD7C633E38E675C8B878 | 48344 | +| Google-Chrome-2.1.org.default.xml | 6B0CD862F76C16A40C3CB20EADFBC6A9D789211B707CEA8AE8F5513ED5318AF7 | 1143 | +| Google-Chrome-2.1.xml | 0CCC64397468814DFDFE1B9BC93D2521979F1959FEF9621C4C240D88ED967A86 | 96838 | | IISServer-10.0-1.2.org.default.xml | CCE53579894CC3DCE929CB2782DC077B9BEF54D3DFDFAD0208DDD8092D2DAA86 | 440 | | IISServer-10.0-1.2.xml | A4A5751B19B5BF1658B91D0BBA8DF405E35C9A28E84E6BE67CAD300C2AC9D131 | 131096 | | IISServer-10.0-2.1.org.default.xml | D0460DE57ADDF6FACCE9288CAF5B059D8D9F223276985F2AC53E0DC894E225AA | 440 | -| IISServer-10.0-2.1.xml | A77E882910DD67C0892E46F908ADB24A616F8BC2C54DC53217713CCEACA00EDB | 131197 | +| IISServer-10.0-2.1.xml | 44293CF4680B55AB2FC81113DDE3892F686C2E1E7B0C4666361516BB878CF870 | 133456 | | IISServer-8.5-1.11.org.default.xml | D2B45974062E5C376E5088B318EC6E858954BCE33CCCCB60390824C058DC3D3D | 439 | | IISServer-8.5-1.11.xml | 75B8A98823AC044D0BD68A66E6263D6FF7529DD54565660E0DA41DCC854587F1 | 132327 | | IISServer-8.5-2.1.org.default.xml | 74430102C9E2D3140C8FEC42EF426F214D191A387E9E2FF8235648D9455530A8 | 440 | -| IISServer-8.5-2.1.xml | 62A6BE8FB6E3A7B3B87092ECD670205AFDC3E5BE6F6423A001EF7D2311081252 | 130798 | +| IISServer-8.5-2.1.xml | 3FB79D7B3FDF5333524255F9E04559F33019031BB229EF116DD75A4331053DF0 | 132962 | | IISSite-10.0-1.2.org.default.xml | 881F5FACEC050D06B4FA949C641B930A38E54EFB831DA57C12D047F1C891C4BD | 1309 | | IISSite-10.0-1.2.xml | 82D1D28315F2930CA49BFA486E9F996EDEE2396D694CD01D4EB0D88DEDD463EC | 115767 | | IISSite-10.0-2.1.org.default.xml | 37D96FAD978E78F5E28FEDE958D033DF820464632C14699BE4BD349C11A6C601 | 1309 | -| IISSite-10.0-2.1.xml | 48F01BD2F5A8AA6B8C5F15CA901A37561FF4E94B42973B09C60F222186B4EDE4 | 115864 | +| IISSite-10.0-2.1.xml | 43BBB8FFBFB08953639599362BA3D6663D1337C891E05A3E8516FB27D5EDA23F | 117801 | | IISSite-8.5-1.11.org.default.xml | 1A76F1D9232E65679703886888A243072E84A65F6CF4EFE67D61E577EDA6644B | 1383 | | IISSite-8.5-1.11.xml | A951C0E93FDD1EE15AD95B92928C4FCD10373CCEBD9AF1DC71179066EC1EA42B | 125081 | | IISSite-8.5-2.1.org.default.xml | B0BA05F7D3FD430927B8924334F90851630DB326463635EAA1E08EB6B212362A | 1403 | -| IISSite-8.5-2.1.xml | 1DE2B403183B12E66AAA0581CAA19B545EC2745120258E955DF82BC267715959 | 125274 | +| IISSite-8.5-2.1.xml | CAF8FE884C15BFE5F42CF624558925B97CF03C49FF61E4FA4842EA469484B58B | 127267 | | InternetExplorer-11-1.18.org.default.xml | 1095CEEAD18CBBAD9068326B97D520F7F76F1F71331618F17B2138DC8FE55ED4 | 306 | | InternetExplorer-11-1.18.xml | 7AB1611E525B8D257E722BE7175898F76EAC1C3AFD592C15738AC7EB365139D4 | 332058 | | InternetExplorer-11-1.19.org.default.xml | 586CE903A5C77913C78DAB9129560E118D56C6F4AB3C7B0AEA2BC38F25EE54DB | 306 | @@ -47,7 +49,7 @@ Hashes for **PowerSTIG** files are listed in the following table: | Office-Outlook2016-1.2.org.default.xml | B3587A82F4CC9A347B4D491AA1E84036EA1C410E24CB1B28DFF41846B58594F3 | 305 | | Office-Outlook2016-1.2.xml | 5AFB894BFCFB367FB643DE6ACAE8C513584EC2812DA54ECCBAFF9C551D465DF9 | 138739 | | Office-Outlook2016-2.1.org.default.xml | 90B8C7718C06C930178B621218A629B44A4F18885F0B5816E06AC76E8A1DA329 | 305 | -| Office-Outlook2016-2.1.xml | 465AE0839E3CEDCDF99014949913F28C8516F23DB2A00D010B85BDBFA718A0E5 | 139334 | +| Office-Outlook2016-2.1.xml | 32E12517ECB326AE1B049D9A268DA9A45D4E1141DC8C33CF5B97553F96C6172C | 141421 | | Office-PowerPoint2013-1.6.org.default.xml | 737AEDF59D64684358B3E58ED4D0C42E5FD99AA4495489B8E625B79CE838E663 | 305 | | Office-PowerPoint2013-1.6.xml | 563E20C0149E0CB20880EB777439A7B67C4FE1BBF4347EA7677048E6DD2D2EAA | 94142 | | Office-PowerPoint2016-1.1.org.default.xml | 3FEE8C811ED3DB6986E24ABF9BBA833975A908C82EFAECC2E91755E10D02C30C | 431 | @@ -55,7 +57,7 @@ Hashes for **PowerSTIG** files are listed in the following table: | Office-System2013-1.9.org.default.xml | 45055F756C705090A9F8D6470EF55C2FC8838EA00B2103E372E22B948A06DF63 | 869 | | Office-System2013-1.9.xml | 346A48CA6FD98889F0E60928AA0E87E138CF4E8A45E1BDB82BB04005428638C5 | 122545 | | Office-System2013-2.1.org.default.xml | 96C2EFAF8780965F18914EB31F6C869AF63ADDB780CB3EA537626BA7DA2B7358 | 873 | -| Office-System2013-2.1.xml | AEE84228BF4E1F341BEF640202AD4BA134526D67AEA6FF4F96F9AD3391784783 | 115297 | +| Office-System2013-2.1.xml | 40657EF393151DFE4D8FD1B5ABD4C5E87DD4AFD3A7F0B230DD22502F0B9DBF4C | 117184 | | Office-System2016-1.1.org.default.xml | 1BC04F0B3B55ED751A1451845E35821A7A8DE2A9592ED63D70AD422E5B3BB1C4 | 305 | | Office-System2016-1.1.xml | 6ABE255AD940C70AA20E72B50FCE9E78BA3C3291C085EFF26581059445904229 | 63544 | | Office-Visio2013-1.4.org.default.xml | DEB619FD6632472F27796C703DB93523035A5BCD84A2FE878DABBCFC968FFFD9 | 305 | @@ -77,48 +79,48 @@ Hashes for **PowerSTIG** files are listed in the following table: | SqlServer-2016-Instance-1.10.org.default.xml | B3F8FCFB9E003FBADBD9A2FE64F807DD54FF660ABFAE8E80DF229339F69138DD | 306 | | SqlServer-2016-Instance-1.10.xml | 474084FF0E2742078124A15651C46D24F51CB7ED7FEE1CEDC3081811C3FAB8F2 | 467648 | | SqlServer-2016-Instance-2.1.org.default.xml | 90B8C7718C06C930178B621218A629B44A4F18885F0B5816E06AC76E8A1DA329 | 305 | -| SqlServer-2016-Instance-2.1.xml | 5A3768B0814749B9FB476AE9ED38AF1B8D10613F40D1E928C99A8B262A86D39F | 461823 | +| SqlServer-2016-Instance-2.1.xml | 4EEA00BFC5072FB2969EAB567DD6B8602841AE00E7A059A99F63698CCB50A3E6 | 466722 | | vSphere-6.5-1.3.org.default.xml | C990416E2E49502DADF351E07E50F01FDE10BDDADD940316F943BC31CA043BFA | 791 | | vSphere-6.5-1.3.xml | 1DE6CB25FD5ACD705F0F7ED1AB8F062F75B00B85FFD6DD5688D81C51858043A2 | 168420 | | Vsphere-6.5-1.4.org.default.xml | 0094C819CBDE50985DC324280712622E3ECAA46E45AFFFEAFB6C91A139B72627 | 791 | | Vsphere-6.5-1.4.xml | D78A4D1192D4D0836A6A3FC945F06D4DF3F9EB36F35141A4BED8DC401AEB71DE | 143136 | -| WindowsClient-10-1.21.org.default.xml | 1356B94B5A6F5A37F07C70EABF0D2977241D99EA5C8F278D51ACDD607F85E870 | 4803 | -| WindowsClient-10-1.21.xml | 6D832C0B109A16E08B44BE0F04567085E09B902F86AEE69F581F1FD7CA174517 | 797580 | | WindowsClient-10-1.23.org.default.xml | 560C71F2C07DB76CB9B824D50FEFA2D50F59AF4379BD2EB13C75D091EAAF6382 | 4828 | | WindowsClient-10-1.23.xml | 0C3EEA49B0A81C6A6DDD4CAC6273BDB539EDCC2F087DD5D4D71FA881C7836828 | 706835 | -| WindowsDefender-All-1.7.org.default.xml | C6D7C72A7EC7681FADC9F9CEACE9D7A7BF3391E26DE0E0F202C7C53EA2CD1C8C | 1170 | -| WindowsDefender-All-1.7.xml | 9657199FA1B037CA49D274BE3B0960F6EF1590178991C9A4B346B5BC9E6BB945 | 95148 | +| WindowsClient-10-2.1.org.default.xml | 00E4C5DD37FA4AAA5C050F1FB2D04662541DF389040F2861EAA011E603256A74 | 4660 | +| WindowsClient-10-2.1.xml | 6A2663CE9691A3F8812964008A0980647991611D0D568F64496F616A3E0122AC | 718398 | | WindowsDefender-All-1.8.org.default.xml | C9609DE449345A4BE63AACBEF2EE44689852811ED2D4845F426945C5ADE25897 | 1071 | | WindowsDefender-All-1.8.xml | F54DDC75434BF5CA58A57F2FC648A04F90FB7C0A6BC4C10B3BC00DFCF6BB71A5 | 94765 | +| WindowsDefender-All-2.1.org.default.xml | 1B0F2EE7D068944E2B55187D9A45DC792CD38559DF888AFC8C6FF10B3A756770 | 1088 | +| WindowsDefender-All-2.1.xml | 4A6538A6AD9E0ADF16D6A907DF0A12EAE44952BDCF383455C52A7E850FD8C45F | 96806 | | WindowsDnsServer-2012R2-1.15.org.default.xml | B96A080974E42D51381B47C63FEB29F5DF91EDED3A44617945AC78A1D39E89D1 | 449 | | WindowsDnsServer-2012R2-1.15.xml | F5881AF1DF6BD623F6C115DC059C8EEBA4F5175A0986F21322A268E8825D63FF | 268780 | | WindowsDnsServer-2012R2-2.1.org.default.xml | 693C53E7B2DCB367DA8119934BBC66C2FD78BFC764F4FC2A514FC00CB1C450F9 | 449 | -| WindowsDnsServer-2012R2-2.1.xml | EB837A7E949C301736283A940DF55EA54CBFCB3B92FBFFD3C6D0E331E68CAD8D | 244143 | +| WindowsDnsServer-2012R2-2.1.xml | D5C639D871A9875C6AD4FFD0B5EF9C822FE9568827605E0C4D15AC185FD879F9 | 247159 | | WindowsFirewall-All-1.6.org.default.xml | 129A5B9F20B27E36FED4C1AC470B7B7419B563A6B2733B7FC3112CAF682ABB77 | 966 | | WindowsFirewall-All-1.6.xml | 42FA28D3C4BA6387D3EA4F5DCB72F133F814D3A9854555498E22DDFD188194B7 | 65518 | | WindowsFirewall-All-1.7.org.default.xml | 64E9FFA9B456C36DD36B5824BF641E473931B5C350F473DDFFDF31B1B64DD016 | 966 | | WindowsFirewall-All-1.7.xml | BBB13C6D675EB591D972EF8AD9B46472CFE80FCAD76E9D453586E6BE430F01B6 | 65518 | -| WindowsServer-2012R2-DC-2.19.org.default.xml | 119AA2E10130E0518F700ABB3623A24E08459D677298BCB54F86A29347D67307 | 5457 | -| WindowsServer-2012R2-DC-2.19.xml | B545AD63C8EAACCEA6169B71A083736656C1C816A7C10548460558FDC670338F | 771790 | | WindowsServer-2012R2-DC-2.21.org.default.xml | 283BBECBB51464093C4DAB666C7CEB3B6F42D7AF6F15D4067951D904287ECC9B | 5457 | | WindowsServer-2012R2-DC-2.21.xml | 137671F0A048D2A2A20C85B9D24E48A96E04DD6A3525858DC89B679492041535 | 774698 | -| WindowsServer-2012R2-MS-2.17.org.default.xml | 399C869FC12FD21214F427A41BC8F2FE0C5D815EA2A6DC387339F8DA003D889F | 4913 | -| WindowsServer-2012R2-MS-2.17.xml | 737CB71B2FD7A6839CB7B02C714F982ADCB7797AE7F7536A4FD05259F04CEDB8 | 665509 | +| WindowsServer-2012R2-DC-3.1.org.default.xml | 1E6C3050BFC42B2F61D829F9C1EE40DCAA7335B9EE5AEF185CB69C4EE2765633 | 5596 | +| WindowsServer-2012R2-DC-3.1.xml | F5927DDA5E7A284615388CF7CD2F351DE46FB1A87F1421DBC2A7147D42BE38CD | 784187 | | WindowsServer-2012R2-MS-2.19.org.default.xml | AB13E75014B54356651DF9A790155B4BDE4D5A189EAF2BA5665635C667A27155 | 4913 | | WindowsServer-2012R2-MS-2.19.xml | 047B0425AB155611E371FE37E059C7F44B6842736CDD1372ECD34BF04EAB408A | 668684 | -| WindowsServer-2016-DC-1.10.org.default.xml | 928F37C54F333ABBB403DDBA264BF1D7F3E69462B326797E10AC400C520F49D7 | 4598 | -| WindowsServer-2016-DC-1.10.xml | BA20DE96E4900D06A16811D3A1EE3BBB63300780983F6E6D767402176EEFFC8A | 547947 | +| WindowsServer-2012R2-MS-3.1.org.default.xml | D84032D248CC5D70C2D1CF24B86AAE02D73330FA1EC4E69249FC2C4A523883AD | 5026 | +| WindowsServer-2012R2-MS-3.1.xml | 86248DA9F80EDB67126F579E30EFFAC71B7EC9E6632CF5DEB4CBEC87B956FE97 | 678771 | | WindowsServer-2016-DC-1.12.org.default.xml | 7E29598C831A28FE0A94E566B448CF10D7A75AE82C7AFD7F5281067C777601BD | 4598 | | WindowsServer-2016-DC-1.12.xml | 6FA88C2321461D8455BC28A2B977DFC1D2EDA8D1F585EB8B4F0DD60D1E1DD8DE | 550978 | -| WindowsServer-2016-MS-1.10.org.default.xml | 0D4C4F9983F354B4186A83C1E64CB722FB855E211ECF5E329755FE74404259FA | 4714 | -| WindowsServer-2016-MS-1.10.xml | 4F5BE41F030E299CF379041CE181FE0BFBBD7A3E76E2405829983EB1949784EA | 470570 | +| WindowsServer-2016-DC-2.1.org.default.xml | B80069F4AEB52DB4CA7934E617A699A8F8D343E7EAC7DE1FF088CAAC6AF20602 | 4671 | +| WindowsServer-2016-DC-2.1.xml | E6A62B787CFD6DB3A8AE3AAC17C08F856DB8B11F424DA1B81290B16607645DCC | 561489 | | WindowsServer-2016-MS-1.12.org.default.xml | 6167494CE31CF938EBBB91FDEA24ABC05D11FA13294EFD1DEF36DB6ACF12EF5D | 4714 | | WindowsServer-2016-MS-1.12.xml | 6A06D0C7B734A504F90F3FF7B33A44EEEFAA47C982FC891B46B6FD57171CEC65 | 473633 | -| WindowsServer-2019-DC-1.3.org.default.xml | FEF197F027ADB13849604CFE145A9541663E947F91B262EC234CA97E7015BD93 | 4842 | -| WindowsServer-2019-DC-1.3.xml | FBB47CA9382084CB7A58AF85BE881B645D875552C413166C911CAB8287995E79 | 832961 | +| WindowsServer-2016-MS-2.1.org.default.xml | 183037554B06AD1FE437CA4569657759DAE1DC08FA46D886CC9310072952DD05 | 4783 | +| WindowsServer-2016-MS-2.1.xml | 491E715367722D255D8F3DD3FFFA78F01514539B5FB236A8212A70139A924D65 | 483071 | | WindowsServer-2019-DC-1.5.org.default.xml | 4C557728FC6957E8366F3FA61F9AF9B93097D17F768FA34D82EAE39472553DE0 | 4842 | | WindowsServer-2019-DC-1.5.xml | 304B5E1F9AA02630E2FAAA260A89690B4C507428F787E32C5F5B9424A9F22343 | 835931 | -| WindowsServer-2019-MS-1.3.org.default.xml | 95D1EF80EC3533EF1B32BFF282042F73410627045049CA03C1E7537BC50181DF | 4780 | -| WindowsServer-2019-MS-1.3.xml | 48F4E1F528FD80C64DFBD820ECD3F345CA7D25107324AFA8E52CA4F267A2ADE3 | 755318 | +| WindowsServer-2019-DC-2.1.org.default.xml | 16E9FD633C5E0609DC83C6D3DF153E488647690323FFA6061342BD07156EA433 | 4770 | +| WindowsServer-2019-DC-2.1.xml | 3B7A17903DF6F0ECAB63D1A79FDD4B85A5D40DC459EED72300520963F2E6CEB3 | 852593 | | WindowsServer-2019-MS-1.5.org.default.xml | C66E670220BE21B939CE7323C3E2F65281C0A1627229EF1B03F196D62AB16054 | 4780 | | WindowsServer-2019-MS-1.5.xml | 9031353E5A070FAD5CF136AB366924D5C0DAF16077D4882E10CE3496E5DDA788 | 758317 | +| WindowsServer-2019-MS-2.1.org.default.xml | FA3161D5757A0851C663F2F04596D9964D5BE756113F0691C608497D02C09914 | 4702 | +| WindowsServer-2019-MS-2.1.xml | 490BEC047CE034AF0FFAAE81BBA643F15B8683FB5A9CE41C16921D682F35A16F | 773974 | diff --git a/Tests/Integration/DSCResources/Chrome.config.ps1 b/Tests/Integration/DSCResources/Chrome.config.ps1 new file mode 100644 index 000000000..d4303b9f7 --- /dev/null +++ b/Tests/Integration/DSCResources/Chrome.config.ps1 @@ -0,0 +1,57 @@ +configuration Chrome_config +{ + param + ( + [Parameter()] + [AllowNull()] + [string] + $TechnologyVersion, + + [Parameter()] + [AllowNull()] + [string] + $TechnologyRole, + + [Parameter(Mandatory = $true)] + [version] + $StigVersion, + + [Parameter()] + [string[]] + $SkipRule, + + [Parameter()] + [string[]] + $SkipRuleType, + + [Parameter()] + [string[]] + $SkipRuleSeverity, + + [Parameter()] + [hashtable] + $Exception, + + [Parameter()] + [object] + $OrgSettings, + + [Parameter()] + [string[]] + $ResourceParameters + ) + + Import-DscResource -ModuleName PowerStig + + Node localhost + { + $psboundParams = $PSBoundParameters + $psboundParams.Remove('TechnologyRole') + $psboundParams.Remove('ConfigurationData') + $psboundParams.Remove('TechnologyVersion') + + $resourceParamString = New-ResourceParameterString -ResourceParameters $ResourceParameters -PSBoundParams $psboundParams + $resourceScriptBlockString = New-ResourceString -ResourceParameterString $resourceParamString -ResourceName Chrome + & ([scriptblock]::Create($resourceScriptBlockString)) + } +} diff --git a/Tests/Integration/DSCResources/Chrome.integration.tests.ps1 b/Tests/Integration/DSCResources/Chrome.integration.tests.ps1 new file mode 100644 index 000000000..11f453ef1 --- /dev/null +++ b/Tests/Integration/DSCResources/Chrome.integration.tests.ps1 @@ -0,0 +1,47 @@ +using module .\helper.psm1 + +$script:DSCCompositeResourceName = ($MyInvocation.MyCommand.Name -split '\.')[0] +. $PSScriptRoot\.tests.header.ps1 + +$configFile = Join-Path -Path $PSScriptRoot -ChildPath "$($script:DSCCompositeResourceName).config.ps1" +. $configFile + +$script:DSCCompositeResourceNameUpdate = "Google-{0}" -f ($MyInvocation.MyCommand.Name -split '\.')[0] +$stigList = Get-StigVersionTable -CompositeResourceName $script:DSCCompositeResourceNameUpdate +$resourceInformation = $global:getDscResource | Where-Object -FilterScript {$PSItem.Name -eq $script:DSCCompositeResourceName} +$resourceParameters = $resourceInformation.Properties.Name + +foreach ($stig in $stigList) +{ + $orgSettingsPath = $stig.Path.Replace('.xml', '.org.default.xml') + $blankSkipRuleId = Get-BlankOrgSettingRuleId -OrgSettingPath $orgSettingsPath + $powerstigXml = [xml](Get-Content -Path $stig.Path) | + Remove-DscResourceEqualsNone | Remove-SkipRuleBlankOrgSetting -OrgSettingPath $orgSettingsPath + + $skipRule = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id + $skipRuleType = $null + $expectedSkipRuleTypeCount = 0 + $blankSkipRuleId.Count + + $skipRuleMultiple = Get-Random -InputObject $powerstigXml.RegistryRule.Rule.id -Count 2 + $skipRuleTypeMultiple = $null + $expectedSkipRuleTypeMultipleCount = 0 + $blankSkipRuleId.Count + + $singleSkipRuleSeverity = 'CAT_I' + $multipleSkipRuleSeverity = 'CAT_I', 'CAT_II' + $expectedSingleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $singleSkipRuleSeverity + $expectedSingleSkipRuleSeverityCount = ($expectedSingleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count + $expectedMultipleSkipRuleSeverity = Get-CategoryRule -PowerStigXml $powerstigXml -RuleCategory $multipleSkipRuleSeverity + $expectedMultipleSkipRuleSeverityCount = ($expectedMultipleSkipRuleSeverity | Measure-Object).Count + $blankSkipRuleId.Count + + $getRandomExceptionRuleParams = @{ + RuleType = 'RegistryRule' + PowerStigXml = $powerstigXml + ParameterValue = 1234567 + } + $exception = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 + $exceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 + $backCompatException = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 1 -BackwardCompatibility + $backCompatExceptionMultiple = Get-RandomExceptionRule @getRandomExceptionRuleParams -Count 2 -BackwardCompatibility + + . "$PSScriptRoot\Common.integration.ps1" +} diff --git a/Tests/Unit/Module/Rule.tests.ps1 b/Tests/Unit/Module/Rule.tests.ps1 index 9775446a4..2e0edd928 100644 --- a/Tests/Unit/Module/Rule.tests.ps1 +++ b/Tests/Unit/Module/Rule.tests.ps1 @@ -15,6 +15,9 @@ try It 'Should return the rule Id' { $stig.id | Should Be 'V-1000' } + It 'Should return the legacy Id' { + $stig.legacyid | Should Be 'V-1111' + } It 'Should return the Severity' { $stig.severity | Should Be 'medium' } diff --git a/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1 b/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1 index 72dda172b..7f03c871c 100644 --- a/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1 +++ b/Tests/Unit/Module/STIG.PowerStigXml.tests.ps1 @@ -26,9 +26,9 @@ Describe 'Compare-PowerStigXml' { Describe 'Get-BaseRulePropertyName' { - It 'Should return 11 base rule types' { + It 'Should return 12 base rule types' { $baseRulePropertyName = Get-BaseRulePropertyName - $baseRulePropertyName.Count | Should -Be 11 + $baseRulePropertyName.Count | Should -Be 12 } } diff --git a/Tests/Unit/Module/STIG.RuleQuery.tests.ps1 b/Tests/Unit/Module/STIG.RuleQuery.tests.ps1 index 5ebaf5a35..54ea1972f 100644 --- a/Tests/Unit/Module/STIG.RuleQuery.tests.ps1 +++ b/Tests/Unit/Module/STIG.RuleQuery.tests.ps1 @@ -8,6 +8,7 @@ $xmlTestData = @' <VulnDiscussion>Test STIG Description</VulnDiscussion>< + V-1111 Present False HKEY_LOCAL_MACHINE\Software\Microsoft\TestKeyData @@ -57,6 +58,28 @@ try $getStigRuleResult.OrganizationValueRequired | Should -Be 'False' $getStigRuleResult.OrganizationValueTestString | Should -Be $([string]::Empty) $getStigRuleResult.VulnId | Should -Be 'V-1000' + $getStigRuleResult.LegacyId | Should -Be 'V-1111' + $getStigRuleResult.Ensure | Should -Be 'Present' + $getStigRuleResult.Key | Should -Be 'HKEY_LOCAL_MACHINE\Software\Microsoft\TestKeyData' + $getStigRuleResult.ValueData | Should -Be 'TestValueData' + $getStigRuleResult.ValueName | Should -Be 'TestValueName' + $getStigRuleResult.ValueType | Should -Be 'String' + } + + It 'Should return a V-1000 Rule PSCustomObject Detailed' { + $getStigRuleResult = Get-StigRule -LegacyId 'V-1111' -ProcessedXmlPath $testProcessedXml -Detailed + $getStigRuleResult.StigId | Should -Be 'TestSTIGData' + $getStigRuleResult.StigVersion | Should -Be '1.1' + $getStigRuleResult.Severity | Should -Be 'medium' + $getStigRuleResult.Title | Should -Be 'SRG-APP-000000' + $getStigRuleResult.Description | Should -Be 'Test STIG Description' + $getStigRuleResult.RuleType | Should -Be 'RegistryRule' + $getStigRuleResult.DscResource | Should -Be 'Registry' + $getStigRuleResult.DuplicateOf | Should -Be $([string]::Empty) + $getStigRuleResult.OrganizationValueRequired | Should -Be 'False' + $getStigRuleResult.OrganizationValueTestString | Should -Be $([string]::Empty) + $getStigRuleResult.VulnId | Should -Be 'V-1000' + $getStigRuleResult.LegacyId | Should -Be 'V-1111' $getStigRuleResult.Ensure | Should -Be 'Present' $getStigRuleResult.Key | Should -Be 'HKEY_LOCAL_MACHINE\Software\Microsoft\TestKeyData' $getStigRuleResult.ValueData | Should -Be 'TestValueData' diff --git a/Tools/TestHelper/Data/samplegroup.xml.txt b/Tools/TestHelper/Data/samplegroup.xml.txt index c7d0499a8..f0949df6c 100644 --- a/Tools/TestHelper/Data/samplegroup.xml.txt +++ b/Tools/TestHelper/Data/samplegroup.xml.txt @@ -13,6 +13,7 @@ Technology 2350 + {6} CCE--12345-6 CCI-123456 {4} diff --git a/Tools/TestHelper/TestHelper.psm1 b/Tools/TestHelper/TestHelper.psm1 index be13b0de6..e7ee2beeb 100644 --- a/Tools/TestHelper/TestHelper.psm1 +++ b/Tools/TestHelper/TestHelper.psm1 @@ -136,6 +136,10 @@ function Get-TestStigRule [string] $FixText = 'This is a string of text that tells an admin how to fix an item if it is not currently configured properly and ignored by the parser', + [Parameter(Parametersetname = 'UseExisting')] + [string] + $LegacyId = 'V-1111', + [Parameter(Parametersetname = 'UseExisting')] [Parameter(Parametersetname = 'FileProvided')] [switch] @@ -162,7 +166,7 @@ function Get-TestStigRule { # Get the samplegroup element text and merge in the parameter strings $groupElement = Get-Content -Path "$PSScriptRoot\data\sampleGroup.xml.txt" -Encoding UTF8 -Raw - $groupElement = $groupElement -f $GroupId, $GroupTitle, $RuleTitle, $RuleDescription, $FixText, $CheckContent + $groupElement = $groupElement -f $GroupId, $GroupTitle, $RuleTitle, $RuleDescription, $FixText, $CheckContent, $LegacyId } # Get and merge the group element data into the xccdf xml document and create an xml object to return diff --git a/source/DSCResources/Chrome/Chrome.psd1 b/source/DSCResources/Chrome/Chrome.psd1 new file mode 100644 index 000000000..442371e5a --- /dev/null +++ b/source/DSCResources/Chrome/Chrome.psd1 @@ -0,0 +1,48 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'Chrome.schema.psm1' + + # Version number of this module. + ModuleVersion = '1.0.0.0' + + # ID used to uniquely identify this module + GUID = '30cee7e3-aa8b-4f11-bcfa-01b851eecae5' + + # Author of this module + Author = 'Microsoft Corporation' + + # Company or vendor of this module + CompanyName = 'Microsoft Corporation' + + # Copyright statement for this module + Copyright = '(c) 2020 Microsoft Corporation. All rights reserved.' + + # Description of the functionality provided by this module + Description = 'Composite DSC Resource for managing Google Chrome related DISA STIGs' + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = @('Chrome') + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + } # End of PSData hashtable + + } # End of PrivateData hashtable + +} diff --git a/source/DSCResources/Chrome/Chrome.schema.psm1 b/source/DSCResources/Chrome/Chrome.schema.psm1 new file mode 100644 index 000000000..8da11681a --- /dev/null +++ b/source/DSCResources/Chrome/Chrome.schema.psm1 @@ -0,0 +1,77 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +using module ..\helper.psm1 +using module ..\..\PowerStig.psm1 + +<# + .SYNOPSIS + A composite DSC resource to manage the Chrome STIG settings + .PARAMETER BrowserVersion + The version of the Browser the STIG applies to + .PARAMETER StigVersion + The version of the STIG to apply and monitor + .PARAMETER Exception + A hash table of key value pairs that are injected into the STIG data and applied to + the target node. The title of STIG setting is tagged with the text 'Exception' to identify + the exceptions to policy across the data center when you centralize DSC log collection. + .PARAMETER OrgSettings + The path to the xml file that contains the local organizations preferred settings for STIG + items that have allowable ranges. The OrgSettings parameter also accepts a hashtable for + values that need to be modified. When a hashtable is used, the specified values take + presidence over the values defined in the org.default.xml file. + .PARAMETER SkipRule + The SkipRule Node is injected into the STIG data and applied to the target node. The title + of STIG settings are tagged with the text 'Skip' to identify the skips to policy across the + data center when you centralize DSC log collection. + .PARAMETER SkipRuleType + All STIG rule IDs of the specified type are collected in an array and passed to the Skip-Rule + function. Each rule follows the same process as the SkipRule parameter. +#> +configuration Chrome +{ + [CmdletBinding()] + param + ( + [Parameter()] + [ValidateNotNullOrEmpty()] + [version] + $StigVersion, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [hashtable] + $Exception, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [object] + $OrgSettings, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [string[]] + $SkipRule, + + [Parameter()] + [ValidateNotNullOrEmpty()] + [string[]] + $SkipRuleType, + + [Parameter()] + [ValidateSet('CAT_I', 'CAT_II', 'CAT_III')] + [string[]] + $SkipRuleSeverity + ) + + ##### BEGIN DO NOT MODIFY ##### + $stig = [STIG]::New('Google','Chrome', $StigVersion) + $stig.LoadRules($OrgSettings, $Exception, $SkipRule, $SkipRuleType, $SkipRuleSeverity) + ##### END DO NOT MODIFY ##### + + Import-DscResource -ModuleName GPRegistryPolicyDsc -ModuleVersion 1.2.0 + Import-DscResource -ModuleName PSDSCresources -ModuleVersion 2.12.0.0 + . "$resourcePath\windows.Registry.ps1" + . "$resourcePath\windows.Script.skip.ps1" + . "$resourcePath\windows.RefreshRegistryPolicy.ps1" +} diff --git a/source/Module/Common/Convert/Data.ps1 b/source/Module/Common/Convert/Data.ps1 index fdefcfb7b..9d5a044fe 100644 --- a/source/Module/Common/Convert/Data.ps1 +++ b/source/Module/Common/Convert/Data.ps1 @@ -6,6 +6,8 @@ data exclusionRuleList { ConvertFrom-StringData -StringData @' V-73523 = '' + V-225261 = 'Windows Server 2012R2 MS: Rule was previously excluded' + V-226051 = 'Windows Server 2012R2 DC: Rule does not apply to 2012R2 only 2012' V-6599 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' V-6600 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' V-6601 = 'McAfee:The GUID of the weekly on-demand client scan task varies by system' @@ -37,5 +39,6 @@ data exclusionRuleList V-94025 = 'Vsphere: To Be added in a future release' V-94533 = 'Vsphere: To Be added in a future release' V-102627 = 'No automation available based on STIG Guidance, Fix text recommends setting up Windows Hello for non-domain systems' + V-220946 = 'No automation available based on STIG Guidance, Fix text recommends setting up Windows Hello for non-domain systems' '@ } diff --git a/source/Module/Common/Functions.XccdfXml.ps1 b/source/Module/Common/Functions.XccdfXml.ps1 index 2465eddd5..dfe4cd0e3 100644 --- a/source/Module/Common/Functions.XccdfXml.ps1 +++ b/source/Module/Common/Functions.XccdfXml.ps1 @@ -429,6 +429,11 @@ function Split-BenchmarkId $returnId = 'OracleJRE_8' continue } + {$PSItem -match 'Google_Chrome_Current_Windows'} + { + $returnId = 'Google_Chrome' + continue + } {$PSItem -match "Windows"} { # The Windows Server 2012 and 2012 R2 STIGs are combined, so return the 2012R2 diff --git a/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 b/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 index 2021fd9c7..368f9ed7b 100644 --- a/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 +++ b/source/Module/Rule.HardCoded/Convert/HardCodedRule.Convert.psm1 @@ -85,6 +85,7 @@ class HardCodedRuleConvert { $newRule.set_OrganizationValueRequired($true) } + $newRule.SetLegacyId($XccdfRule) $newRule.set_Severity($XccdfRule.rule.severity) $newRule.set_Description($XccdfRule.rule.description) $newRule.set_RawString($XccdfRule.Rule.check.'check-content') diff --git a/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 b/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 index 8fc2bd319..6cbe57b09 100644 --- a/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 +++ b/source/Module/Rule.Registry/Convert/Functions.SingleLine.ps1 @@ -53,6 +53,12 @@ function Get-SingleLineRegistryPath foreach ($item in $global:SingleLineRegistryPath.Values) { $value = Get-SLRegistryPath -CheckContent $CheckContent -Hashtable $item + + if ($value -match "HKEY_LOCAL_MACHINE.*Chrome\\") + { + $value = $value.TrimEnd("\") + } + if ([String]::IsNullOrEmpty($value) -eq $false) { return $value | where-object {[string]::IsNullOrEmpty($_) -eq $false} @@ -259,9 +265,16 @@ function Get-RegistryValueTypeFromSLStig $valueName = Get-RegistryValueNameFromSingleLineStig -CheckContent $CheckContent # McAfee STIG isn't written in a way that ValueType can be detected via CheckContent and/or FixText - if ($CheckContent -match 'Wow6432Node\\McAfee') + if ($CheckContent -match 'Wow6432Node\\McAfee|Google\\Chrome') { - $valueType = 'DWORD' + if ($valueName -match "1|URLBlacklist") + { + $valueType = 'REG_MULTI_SZ' + } + else + { + $valueType = 'DWORD' + } } else { diff --git a/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 b/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 index ae3ea7b54..8a4067317 100644 --- a/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 +++ b/source/Module/Rule.Registry/Convert/RegistryRule.Convert.psm1 @@ -369,7 +369,7 @@ class RegistryRuleConvert : RegistryRule { if ($null -eq $this.DuplicateOf) { - if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)") + if ($FixText -match 'Administrative Templates' -or $this.key -match "(^hkcu|^HKEY_CURRENT_USER)" -or $this.ValueName -match "RemoteAccessHostFirewallTraversal") { $this.DscResource = 'RegistryPolicyFile' } @@ -405,6 +405,10 @@ class RegistryRuleConvert : RegistryRule ( $CheckContent -Match "HKLM|HKCU" -and $CheckContent -Match "REG_DWORD" + ) -or + ( + $CheckContent -Match "regedit" -and + $CheckContent -Match "omnibox" ) ) { diff --git a/source/Module/Rule.RootCertificate/Convert/Methods.ps1 b/source/Module/Rule.RootCertificate/Convert/Methods.ps1 index 44a51ec4b..0584b0d12 100644 --- a/source/Module/Rule.RootCertificate/Convert/Methods.ps1 +++ b/source/Module/Rule.RootCertificate/Convert/Methods.ps1 @@ -30,7 +30,7 @@ function Set-RootCertificateName { $certificateName = ($CheckContent | Select-String -Pattern '(?<=Subject:\sCN=)[^,]+' -AllMatches).Matches.Value | Select-Object -Unique } - + } elseif ($CheckContent -match 'Root\sCA') { @@ -104,9 +104,9 @@ function Test-MultipleRootCertificateRule $CheckContent ) - $certificateNames = ($CheckContent | Select-String -Pattern '(?<=Subject:\sCN=)[^,]+' -AllMatches).Matches.Value | Select-Object -Unique + $certificateThumbprint = ($CheckContent | Select-String -Pattern '(?<=Thumbprint:\s).*' -AllMatches).Matches.Value | Select-Object -Unique - if ($certificateNames.count -gt 1) + if ($certificateThumbprint.count -gt 1) { return $true } @@ -136,9 +136,8 @@ function Split-MultipleRootCertificateRule $certificateNames = ($CheckContent | Select-String -Pattern '(?<=Subject:\sCN=)[^,]+' -AllMatches).Matches.Value $certificateThumbprints = ($CheckContent | Select-String -Pattern '(?<=Thumbprint:\s).*' -AllMatches).Matches.Value | Select-Object -Unique $issuerNames = ($CheckContent | Select-String -Pattern '(?<=Issuer:\sCN=)[^,]+' -AllMatches).Matches.Value - $index = 0 - foreach ($certificate in $certificateNames) + for ($index = 0; $certificateThumbprints.Count -gt $index; $index++) { $multipleCertificateRule = @() @@ -152,7 +151,6 @@ function Split-MultipleRootCertificateRule } $multipleCertificatesRules += $multipleCertificateRule - $index += 1 } return $multipleCertificatesRules diff --git a/source/Module/Rule/Convert/ConvertFactory.psm1 b/source/Module/Rule/Convert/ConvertFactory.psm1 index 7cd1e8c2d..9e4daa528 100644 --- a/source/Module/Rule/Convert/ConvertFactory.psm1 +++ b/source/Module/Rule/Convert/ConvertFactory.psm1 @@ -344,6 +344,10 @@ class ConvertFactory foreach ($convertedrule in $ruleTypeList) { $convertedrule.id = "$($Rule.id).$([CHAR][BYTE]$byte)" + if ([string]::IsNullOrEmpty($convertedrule.LegacyId) -eq $false) + { + $convertedrule.LegacyId = "$($convertedrule.LegacyId).$([CHAR][BYTE]$byte)" + } $byte ++ } } diff --git a/source/Module/Rule/Convert/Data.Chrome.ps1 b/source/Module/Rule/Convert/Data.Chrome.ps1 new file mode 100644 index 000000000..38fe7f5a0 --- /dev/null +++ b/source/Module/Rule/Convert/Data.Chrome.ps1 @@ -0,0 +1,24 @@ +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. + +<# + Instructions: Use this file to add/update/delete regsitry expressions that are used accross + multiple technologies files that are considered commonly used. Ensure expressions are listed + from MOST Restrive to LEAST Restrictive, similar to exception handling. Also, ensure only + UNIQUE Keys are used in each hashtable to prevent errors and conflicts. +#> + +$global:SingleLineRegistryValueName += [ordered]@{ + Chrome1 = @{ + Select = '(?<=3. If the\s|\s")\w+(?=("\s|\s)value name|\skey)' + } +} + +$global:SingleLineRegistryValueData += [ordered]@{ + Chrome1 = @{ + Select = "(?<=entries 1 set to )\w+\:\/\/\*" + } + Chrome2 = @{ + Select = '(?<=its value data is not set to\s|\s\")\d+|\*' + } +} diff --git a/source/Module/Rule/Convert/Functions.ps1 b/source/Module/Rule/Convert/Functions.ps1 index 1db9ceb9a..a481956c3 100644 --- a/source/Module/Rule/Convert/Functions.ps1 +++ b/source/Module/Rule/Convert/Functions.ps1 @@ -1,8 +1,6 @@ -#region Header # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. -#endregion -#region Data + # These are the registry strings that are not able to be automatically extracted from the xccdf. $script:legalNoticeText = 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. @@ -21,9 +19,7 @@ $script:legalNoticeCaption = 'DoD Notice and Consent Banner' $script:supportedEncryptionTypes = '0' $script:smb1FeatureName = 'FS-SMB1' $script:publishersCertificateRevocation = '146432' -#endregion -#region Main Functions <# .SYNOPSIS Accepts defeat in that the STIG string data for a select few checks are too unwieldy to parse @@ -32,8 +28,6 @@ $script:publishersCertificateRevocation = '146432' .PARAMETER StigId The Stig ID to check for a fixed string - - .NOTES #> function Test-ValueDataIsHardCoded { @@ -48,17 +42,28 @@ function Test-ValueDataIsHardCoded $stigIds = @( 'V-30935', # DotNet4 - Registry Setting - 'V-1089', # Windows Server 2012R2 - Legal Notice Display + 'V-1089', # Windows Server 2012R2 - Legal Notice Display + 'V-225465', # Windows Server 2012R2 (MS) - Legal Notice Display + 'V-226288', # Windows Server 2012R2 (DC) - Legal Notice Display 'V-73647', # Windows Server 2016 - Legal Notice Display + 'V-225036', # Windows Server 2016 - Legal Notice Display 'V-93147', # Windows Server 2019 - Legal Notice Display + 'V-205631', # Windows Server 2019 - Legal Notice Display 'V-63675', # Windows Client - Legal Notice Display + 'V-220921', # Windows Client - Legal Notice Display 'V-26359', # Windows Server 2012R2 - Legal Banner Dialog Box Title + 'V-225466', # Windows Server 2012R2 (MS) - Legal Banner Dialog Box Title + 'V-226289', # Windows Server 2012R2 (DC) - Legal Banner Dialog Box Title 'V-73649', # Windows Server 2016 - Legal Banner Dialog Box Title + 'V-225037', # Windows Server 2016 - Legal Banner Dialog Box Title 'V-93149', # Windows Server 2019 - Legal Banner Dialog Box Title + 'V-205632', # Windows Server 2019 - Legal Banner Dialog Box Title 'V-63681', # Windows Client - Legal Banner Dialog Box Title + 'V-220922', # Windows Client - Legal Banner Dialog Box Title 'V-73805', # Windows Server - Disable SMB1 'V-70639' is on the client + 'V-225259', # Windows Server - Disable SMB1 'V-70639' is on the client 'V-46477', # Internet Explorer - Publishers Certificate Revocation. - 'V-17761' # Outlook 2013 - OrgSetting Value + 'V-17761' # Outlook 2013 - OrgSetting Value ) if ($stigIds -contains $stigId) @@ -93,12 +98,12 @@ function Get-HardCodedString switch ($stigId) { - {$PSItem -match 'V-(1089|63675|73647|93147)'} + {$PSItem -match 'V-1089|V-63675|V-73647|V-93147|V-225465|V-226288|V-205631|V-220921|V-225036'} { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] LegalNotice : $true" return $script:legalNoticeText } - {$PSItem -match 'V-(26359|63681|73649|93149)'} + {$PSItem -match 'V-26359|V-63681|V-73649|V-93149|V-225466|V-226289|V-225037|V-220922'} { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] LegalCaption : $true" return $script:legalNoticeCaption @@ -109,7 +114,7 @@ function Get-HardCodedString return $script:supportedEncryptionTypes } - {$PSItem -match 'V-73805'} + {$PSItem -match 'V-73805|V-225259'} { Write-Verbose -Message "[$($MyInvocation.MyCommand.Name)] SMB1 : $true" return $script:smb1FeatureName @@ -143,15 +148,26 @@ function Get-HardCodedString $stigIds = @( 'V-3472.b', # Windows Time Service - Configure NTP Client + 'V-225361.b' # Windows Time Service - Configure NTP Client 'V-8322.b', # Time Synchronization + 'V-226076.b', # Time Synchronization (2012 R2 DC) 'V-14235', # UAC - Admin Elevation Prompt + 'V-225516', # UAC - Admin Elevation Prompt (2012 R2 MS) + 'V-226339', # UAC - Admin Elevation Prompt (2012 R2 DC) 'V-26359', # Windows Server 2012R2 - Legal Banner Dialog Box Title + 'V-225466', # Windows Server 2012R2 (MS) - Legal Banner Dialog Box Title + 'V-226289', # Windows Server 2012R2 (DC) - Legal Banner Dialog Box Title 'V-73649', # Windows Server 2016 - Legal Banner Dialog Box Title + 'V-225037', # Windows Server 2016 - Legal Banner Dialog Box Title 'V-93149', # Windows Server 2019 - Legal Banner Dialog Box Title + 'V-205632', # Windows Server 2019 - Legal Banner Dialog Box Title 'V-63681', # Windows 10 Client - Legal Banner Dialog Box Title + 'V-220922', # Windows 10 Client - Legal Banner Dialog Box Title 'V-17761', # Outlook 2013 - OrgSetting Value 'V-75241', # Windows Defender - ASSignatureDue - 'V-75243' # Windows Defender - AVSignatureDue + 'V-213452', # Windows Defender - ASSignatureDue + 'V-75243', # Windows Defender - AVSignatureDue + 'V-213453' # Windows Defender - AVSignatureDue ) if ($stigIds -contains $stigId) @@ -186,22 +202,22 @@ function Get-HardCodedString switch ($stigId) { - {$PSItem -match 'V-3472.b'} + {$PSItem -match 'V-3472.b|V-225361.b'} { $hardCodedString = "'{0}' -notmatch 'time.windows.com'" continue } - {$PSItem -match 'V-8322.b'} + {$PSItem -match 'V-8322.b|V-226076.b'} { $hardCodedString = "'{0}' -match '^(NoSync|NTP|NT5DS|AllSync)$'" continue } - {$PSItem -match 'V-14235'} + {$PSItem -match 'V-14235|V-225516|V-226339'} { $hardCodedString = "'{0}' -le '4'" continue } - {$PSItem -match 'V-26359|V-73649|V-93149|V-63681'} + {$PSItem -match 'V-26359|V-73649|V-93149|V-63681|V-225466|V-226289|V-205632|V-220922|V-225037'} { $hardCodedString = "'{0}' -match '^(DoD Notice and Consent Banner|US Department of Defense Warning Statement)$'" continue @@ -211,7 +227,7 @@ function Get-HardCodedString $hardCodedString = "'{0}' -ge '30' -and '{0}' -le '132'" continue } - {$PSItem -match 'V-75241|V-75243'} + {$PSItem -match 'V-75241|V-75243|V-213452|V-213453'} { $hardCodedString = "{0} -ge '1' -and {0} -le '7'" } @@ -275,7 +291,6 @@ function Get-HardCodedRuleProperty The HardCodedRule modified rule text from the check-content element in the xccdf. #> - function Split-HardCodedRule { [CmdletBinding()] @@ -289,4 +304,3 @@ function Split-HardCodedRule return $CheckContent -split '\' } -#endregion diff --git a/source/Module/Rule/Rule.psm1 b/source/Module/Rule/Rule.psm1 index 42c44db1c..77311d998 100644 --- a/source/Module/Rule/Rule.psm1 +++ b/source/Module/Rule/Rule.psm1 @@ -43,6 +43,7 @@ foreach ($supportFile in $supportFileList) class Rule : ICloneable { [string] $Id + [string] $LegacyId [string] $Title [severity] $Severity [status] $ConversionStatus @@ -100,24 +101,23 @@ class Rule : ICloneable #> Rule ([xml.xmlelement] $Rule, [switch] $Convert) { - # This relaces the current Invokeclass method $this.Id = $Rule.Id $this.Title = $Rule.Title $this.Severity = $Rule.rule.severity $this.Description = $Rule.rule.description - if ( Test-HtmlEncoding -CheckString $Rule.rule.Check.('check-content') ) + if (Test-HtmlEncoding -CheckString $Rule.rule.Check.('check-content')) { - $this.RawString = ( ConvertFrom-HtmlEncoding -CheckString $Rule.rule.Check.('check-content') ) + $this.RawString = (ConvertFrom-HtmlEncoding -CheckString $Rule.rule.Check.('check-content')) } else { $this.RawString = $Rule.rule.Check.('check-content') } - $this.SplitCheckContent = [Rule]::SplitCheckContent( $this.rawString ) - + $this.SplitCheckContent = [Rule]::SplitCheckContent($this.rawString) $this.IsNullOrEmpty = $false $this.OrganizationValueRequired = $false + $this.SetLegacyId($Rule) } #region Methods @@ -424,12 +424,18 @@ class Rule : ICloneable return Get-HardCodedOrganizationValueTestString -StigId $this.id } - <#{TODO}#> <#Remove - - hidden [void] SetDscResource () + <# + .SYNOPSIS + Sets the LegacyId from the raw xccdf xml (DISA Changes October 2020) + .DESCRIPTION + Sets the LegacyId from the raw xccdf xml (DISA Changes October 2020) + #> + hidden [void] SetLegacyId ([xml.xmlelement] $Rule) { - throw 'SetDscResource must be implemented in the child class' + $this.LegacyId = ($Rule.rule.ident | Where-Object -FilterScript {$PSItem.'#text' -match "^V-.*"}).'#text' + if ($Rule.id -match '^V-.*\.[a-z]$' -and [string]::IsNullOrEmpty($this.LegacyId) -eq $false) + { + $this.LegacyId = '{0}.{1}' -f $this.LegacyId, $Rule.id.Split('.')[1] + } } - #> - #endregion } diff --git a/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 b/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 index 7e8b4a8a4..0ca592429 100644 --- a/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 +++ b/source/Module/STIG/Convert/Functions.PowerStigXml.ps1 @@ -156,7 +156,6 @@ function Get-RegistryRuleExpressions { $spInclude += "Data.Mcafee.ps1" } - } } else diff --git a/source/Module/STIG/Functions.RuleQuery.ps1 b/source/Module/STIG/Functions.RuleQuery.ps1 index 96199cc72..6788dd4bd 100644 --- a/source/Module/STIG/Functions.RuleQuery.ps1 +++ b/source/Module/STIG/Functions.RuleQuery.ps1 @@ -11,6 +11,10 @@ using module ..\Rule\Rule.psm1 VulnId within PowerSTIG is typically labled as the RuleId, which may not be consistent with DISA terminology. + .PARAMETER LegacyId + Specify the "previous" VulnId/RuleId, prior to DISA October 2020 Id + updates. + .PARAMETER ProcessedXmlPath Either the folder where the processed xml resides or a specific xml path. The default is .\StigData\Processed\*.xml @@ -27,12 +31,17 @@ function Get-StigRule [OutputType([PSCustomObject])] param ( - [Parameter(Mandatory = $true, Position = 0)] + [Parameter(Mandatory = $true, Position = 0, ParameterSetName = 'VulnId')] [ValidateScript({$_ -match '^V-\d{1,}(|\.[a-z])$'})] [Alias("RuleId")] [string[]] $VulnId, + [Parameter(Mandatory = $true, ParameterSetName = 'LegacyId')] + [ValidateScript({$_ -match '^V-\d{1,}(|\.[a-z])$'})] + [string[]] + $LegacyId, + [Parameter()] [ValidateScript({Test-Path -Path $_})] [string] @@ -43,7 +52,24 @@ function Get-StigRule $Detailed ) - $processedXml = Select-String -Path $ProcessedXmlPath -Pattern $VulnId -Exclude '*.org.default.xml' | Sort-Object -Property Pattern + switch ($PSCmdlet.ParameterSetName) + { + 'VulnId' + { + $vulnIdPattern = 'acceptedGoogle Chrome Current Windows Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 23 Oct 20203.1.1.362251.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000039<GroupDescription></GroupDescription>DTBC-0001Firewall traversal from remote host must be disabled.<VulnDiscussion>Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44711SV-57545CCI-001414Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Configure remote access options + Policy Name: Enable firewall traversal from remote access host + Policy State: Disabled + Policy Value: N/A + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows registry: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0002Site tracking users location must be disabled.<VulnDiscussion>Website tracking is the practice of gathering information as to which websites were accesses by a browser. The common method of doing this is to have a website create a tracking cookie on the browser. If the information of what sites are being accessed is made available to unauthorized persons, this violates confidentiality requirements, and over time poses a significant OPSEC issue. This policy setting allows you to set whether websites are allowed to track the user’s physical location. Tracking the user’s physical location can be allowed by default, denied by default or the user can be asked every time a website requests the physical location. + 1 = Allow sites to track the user’s physical location + 2 = Do not allow any site to track the user’s physical location + 3 = Ask whenever a site wants to track the user’s physical location</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44723SV-57557CCI-001166Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ + Policy Name: Default geolocation setting + Policy State: Enabled + Policy Value: Do not allow any site to track the users' physical location + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultGeolocationSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultGeolocationSetting value name does not exist or its value data is not set to 2, then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0004Sites ability to show pop-ups must be disabled.<VulnDiscussion>Chrome allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you disable this policy setting, scripts can continue to create pop-up windows, and pop-ups that hide other windows. Recommend configuring this setting to ‘2’ to help prevent malicious websites from controlling the pop-up windows or fooling users into clicking on the wrong window. If you do not configure this policy setting, most unwanted pop-up windows are prevented from appearing. If this policy is left not set, 'BlockPopups' will be used and the user will be able to change it. + 1 = Allow all sites to show pop-ups + 2 = Do not allow any site to show pop-ups</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44719SV-57553CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ + Policy Name: Default popups setting + Policy State: Enabled + Policy Value: Do not allow any site to show popups + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultPopupsSetting is not displayed under the Policy Name column or it is not set to 2, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the value name DefaultPopupsSetting does not exist or its value data is not set to 2, then this is a finding. + +Note: If AO Approved exceptions to this rule have been enabled, this is not a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0005Extensions installation must be blacklisted by default.<VulnDiscussion>Extensions are developed by third party sources and are designed to extend Google Chrome's functionality. An extension can be made by anyone, to do and access almost anything on a system; this means they pose a high risk to any system that would allow all extensions to be installed by default. Allows you to specify which extensions the users can NOT install. Extensions already installed will be removed if blacklisted. A blacklist value of '*' means all extensions are blacklisted unless they are explicitly listed in the whitelist. If this policy is left not set the user can install any extension in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44727SV-57561CCI-000169Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ + Policy Name: Configure extension installation blacklist + Policy State: Enabled + Policy Value: * + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ExtensionInstallBlacklist is not displayed under the Policy Name column or it is not set to * under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ExtensionInstallBlacklist + 3. If the a registry value name of 1 does not exist under that key or its value is not set to *, then this is a finding. +SRG-APP-000210<GroupDescription></GroupDescription>DTBC-0006Extensions that are approved for use must be whitelisted. +<VulnDiscussion>The whitelist should only contain organizationally approved extensions. This is to prevent a user from accidently whitelisitng a malicious extension. This policy allows you to specify which extensions are not subject to the blacklist. A blacklist value of ‘*’ means all extensions are blacklisted and users can only install extensions listed in the whitelist. By default, no extensions are whitelisted. If all extensions have been blacklisted by policy, then the whitelist policy can be used to allow specific extensions to be installed. Administrators should determine which extensions should be allowed to be installed by their users. If no extensions are whitelisted, then no extensions can be installed when combined with blacklisting all extensions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44729SV-57563CCI-001170Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Extensions\ + Policy Name: Configure extension installation whitelist + Policy State: Enabled + Policy Value: oiigbmnaadbkfbmpbfijlflahbdbdgdf (or 1) + +Note: oiigbmnaadbkfbmpbfijlflahbdbdgdf is the extension ID for scriptno(a commonly used Chrome extension)Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ExtensionInstallWhitelist is not displayed under the Policy Name column or it is not set to oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator approved extension IDs, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to the key HKLM\Software\Policies\Google\Chrome\ExtensionInstallWhitelist + 3. If the ExtensionInstallWhitelist key is not set to 1 or oiigbmnaadbkfbmpbfijlflahbdbdgdf or a list of administrator-approved extension IDs, then this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0007The default search providers name must be set.<VulnDiscussion>Specifies the name of the default search provider that is to be used, if left empty or not set, the host name specified by the search URL will be used. This policy is only considered if the 'DefaultSearchProviderEnabled' policy is enabled. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44733SV-57567CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ + Policy Name: Default search provider name + Policy State: Enabled + Policy Value: set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderName is displayed under the Policy Name column or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted) under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderName value name does not exist or it is not set to an organization approved encrypted search provider that corresponds to the encrypted search provider set in DTBC-0008(ex. Google Encrypted, Bing Encrypted), then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0008The default search provider URL must be set to perform encrypted searches.<VulnDiscussion>Specifies the URL of the search engine used when doing a default search. The URL should contain the string '{searchTerms}', which will be replaced at query time by the terms the user is searching for. This option must be set when the 'DefaultSearchProviderEnabled' policy is enabled and will only be respected if this is the case. When doing internet searches it is important to use an encrypted connection via https.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44735SV-57569CCI-000381If the system is on the SIPRNet, this requirement is NA. + +Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ + Policy Name: Default search provider search URL + Policy State: Enabled + Policy Value: Must be set to an organization-approved encrypted search string + (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} )If the system is on the SIPRNet, this requirement is NA. + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderSearchURL is not displayed under the Policy Name column or it is not set to an organization-approved encrypted search string (ex. https://www.google.com/#q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) under the Policy Value column, this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderSearchURL value name does not exist or its value data is not set to an organization-approved encrypted search string (ex. https://www.google.com/search?q={searchTerms} or https://www.bing.com/search?q={searchTerms} ) this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0009Default search provider must be enabled.<VulnDiscussion>Policy enables the use of a default search provider. If you enable this setting, a default search is performed when the user types text in the omnibox that is not a URL. You can specify the default search provider to be used by setting the rest of the default search policies. If these are left empty, the user can choose the default provider. If you disable this setting, no search is performed when the user enters non-URL text in the omnibox. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, the default search provider is enabled, and the user will be able to set the search provider list.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57571V-44737CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Default search provider\ + Policy Name: Enable the default search provider + Policy State: Enabled + Policy Value: N/A + +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If DefaultSearchProviderEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the DefaultSearchProviderEnabled value name does not exist or its value data is not set to 1, then this is a finding. + +Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0011The Password Manager must be disabled.<VulnDiscussion>Enables saving passwords and using saved passwords in Google Chrome. Malicious sites may take advantage of this feature by using hidden fields gain access to the stored information. If you enable this setting, users can have Google Chrome memorize passwords and provide them automatically the next time they log in to a site. If you disable this setting, users are not able to save passwords or use already saved passwords. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. ListPassword manager should not be used as it stores passwords locally.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57575V-44741CCI-000381Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Password Manager\ +Policy Name: Enable Saving Passwords to the Password Manager +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If PasswordManagerEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the PasswordManagerEnabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000276<GroupDescription></GroupDescription>DTBC-0013The running of outdated plugins must be disabled.<VulnDiscussion>Running outdated plugins could lead to system compromise through the use of known exploits. Having plugins that updated to the most current version ensures the smallest attack surfuce possible. If you enable this setting, outdated plugins are used as normal plugins. If you disable this setting, outdated plugins will not be used and users will not be asked for permission to run them. If this setting is not set, users will be asked for permission to run outdated plugins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57579V-44745CCI-001240Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Allow running plugins that are outdated + Policy State: Disabled + Policy Value: N/A +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If AllowOutdatedPlugins is not displayed under the Policy Name column or it is not set to false under the Policy Name column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome + 3. If the AllowOutdatedPlugins value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000112<GroupDescription></GroupDescription>DTBC-0017Background processing must be disabled.<VulnDiscussion>Determines whether a Google Chrome process is started on OS login that keeps running when the last browser window is closed, allowing background apps to remain active. The background process displays an icon in the system tray and can always be closed from there. If this policy is set to True, background mode is enabled and cannot be controlled by the user in the browser settings. If this policy is set to False, background mode is disabled and cannot be controlled by the user in the browser settings. If this policy is left unset, background mode is initially disabled and can be controlled by the user in the browser settings.' - Google Chrome Administrators Policy ListThis setting, if enabled, allows Google Chrome to run at all times. There is two reasons that this is not wanted. First, it can tie up system resources that might otherwise be needed. Second, it does not make it obvious to the user that it is running and poorly written extensions could cause instability on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57587V-44753CCI-001695Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Continue running background apps when Google Chrome is closed + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If BackgroundModeEnabled is not displayed under the Policy Name column and it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the BackgroundModeEnabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000047<GroupDescription></GroupDescription>DTBC-0020Google Data Synchronization must be disabled.<VulnDiscussion>Disables data synchronization in Google Chrome using Google-hosted synchronization services and prevents users from changing this setting. If you enable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the user will be able to enable Google Sync. Google Sync is used to sync information between different user devices, this data is then stored on Google owned servers. The synced data may consist of information such as email, calendars, viewing history, etc. This feature must be disabled because the organization does not have control over the servers the data is stored on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57593V-44759CCI-001374Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Disable synchronization of data with Google + Policy State: Enabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SyncDisabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SyncDisabled value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0021The URL protocol schema javascript must be disabled.<VulnDiscussion>Each access to a URL is handled by the browser according to the URL's "scheme". The "scheme" of a URL is the section before the ":". The term "protocol" is often mistakenly used for a "scheme". The difference is that the scheme is how the browser handles a URL and the protocol is how the browser communicates with a service. If a scheme or its associated protocol used by a browser is insecure or obsolete, vulnerabilities can be exploited resulting in exposed data or unrestricted access to the browser's system. The browser must be configured to disable the use of insecure and obsolete schemas (protocols). +This policy disables the listed protocol schemes in Google Chrome, URLs using a scheme from this list will not load and cannot be navigated to. If this policy is left not set or the list is empty all schemes will be accessible in Google Chrome.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57595V-44761CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Block access to a list of URLs + Policy State: Enabled + Policy Value 1: javascript://*Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If URLBlacklist is not displayed under the Policy Name column or it is not set to javascript://* under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\URLBlacklist + 3. If the URLBlacklist key does not exist, or the does not contain entries 1 set to javascript://*, then this is a finding. + +SRG-APP-000047<GroupDescription></GroupDescription>DTBC-0023Cloud print sharing must be disabled.<VulnDiscussion>Policy enables Google Chrome to act as a proxy between Google Cloud Print and legacy printers connected to the machine. If this setting is enabled or not configured, users can enable the cloud print proxy by authentication with their Google account. If this setting is disabled, users cannot enable the proxy, and the machine will not be allowed to share it’s printers with Google Cloud Print. If this policy is not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57599V-44765CCI-001374Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable Google Cloud Print proxy + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If CloudPrintProxyEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the CloudPrintProxyEnabled value name does not exist or its value data is not set to 0, then this is a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTBC-0025Network prediction must be disabled.<VulnDiscussion>Enables network prediction in Google Chrome and prevents users from changing this setting. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be disabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57603V-44769CCI-000366Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable network prediction +Policy State: Enabled +Policy Value: Do not predict network actions on any network connectionUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If "NetworkPredictionOptions" is not displayed under the “Policy Name” column or it is not set to "2" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "NetworkPredictionOptions" value name does not exist or its value data is not set to "2," this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0026Metrics reporting to Google must be disabled.<VulnDiscussion>Enables anonymous reporting of usage and crash-related data about Google Chrome to Google and prevents users from changing this setting. If you enable this setting, anonymous reporting of usage and crash-related data is sent to Google. A crash report could contain sensitive information from the computer's memory. If you disable this setting, anonymous reporting of usage and crash-related data is never sent to Google. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set the setting will be what the user chose upon installation / first run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-57605V-44771CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable reporting of usage and crash-related data + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If MetricsReportingEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the MetricsReportingEnabled value name does not exist or its value data is not set to 0, then this is a finding. + +Note: This policy will only display in the chrome://policy tab on domain joined systems. On standalone systems, the policy will not display.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0027Search suggestions must be disabled.<VulnDiscussion>Search suggestion should be disabled as it could lead to searches being conducted that were never intended to be made. Enables search suggestions in Google Chrome's omnibox and prevents users from changing this setting. If you enable this setting, search suggestions are used. If you disable this setting, search suggestions are never used. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44773SV-57607CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable search suggestions + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SearchSuggestEnabled is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SearchSuggestEnabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0029Importing of saved passwords must be disabled.<VulnDiscussion>Importing of saved passwords should be disabled as it could lead to unencrypted account passwords stored on the system from another browser to be viewed. This policy forces the saved passwords to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. If disabled, the saved passwords are not imported. If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44775SV-57609CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Import saved passwords from default browser on first run + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If ImportSavedPasswords is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the ImportSavedPasswords value name does not exist or its value data is not set to 0, then this is a finding.SRG-APP-000080<GroupDescription></GroupDescription>DTBC-0030Incognito mode must be disabled.<VulnDiscussion>Incognito mode allows the user to browse the Internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained. The "IncognitoModeAvailability" setting controls whether the user may utilize Incognito mode in Google Chrome. If 'Enabled' is selected or the policy is left unset, pages may be opened in Incognito mode. If 'Disabled' is selected, pages may not be opened in Incognito mode. If 'Forced' is selected, pages may be opened ONLY in Incognito mode. + 0 = Incognito mode available. + 1 = Incognito mode disabled. + 2 = Incognito mode forced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44777SV-57611CCI-000166Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Incognito mode availability + Policy State: Enabled + Policy Value: Incognito mode disabledUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If IncognitoModeAvailability is not displayed under the Policy Name column or it is not set to 1 under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the IncognitoModeAvailability value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000605<GroupDescription></GroupDescription>DTBC-0037Online revocation checks must be done.<VulnDiscussion>By setting this policy to true, the previous behavior is restored and online OCSP/CRL checks will be performed. If the policy is not set, or is set to false, then Chrome will not perform online revocation checks. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44789SV-57623CCI-000185Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Whether online OCSP/CRL checks are performed + Policy State: Enabled + Policy Value: N/A +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If EnableOnlineRevocationChecks is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the EnableOnlineRevocationChecks value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0038Safe Browsing must be enabled,<VulnDiscussion>Enables Google Chrome's Safe Browsing feature and prevents users from changing this setting. If you enable this setting, Safe Browsing is always active. If you disable this setting, Safe Browsing is never active. If you enable or disable this setting, users cannot change or override this setting in Google Chrome. If this policy is left not set, this will be enabled but the user will be able to change it. Safe browsing uses a signature database to test sites when they are be loaded to ensure they don't contain any known malware.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44791SV-57625CCI-001166Windows group policy: + 1. Open the “group policy editor” tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing Settings + Policy Name: Enable Safe Browsing + Policy State: Enabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If SafeBrowsingEnabled is not displayed under the Policy Name column or it is not set to true under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SafeBrowsingEnabled value name does not exist or its value data is not set to 1, then this is a finding. +SRG-APP-000231<GroupDescription></GroupDescription>DTBC-0039Browser history must be saved.<VulnDiscussion>This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44793SV-57627CCI-001199Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Disable saving browser history + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding. +SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0040Default behavior must block webpages from automatically running plugins.<VulnDiscussion>This policy allows you to set whether websites are allowed to automatically run the Flash plugin. Automatically running the Flash plugin can be either allowed for all websites or denied for all websites. If this policy is left not set, the user will be able to change this setting manually. + 1 = Allow all sites to automatically run Flash plugin + 2 = Block the Flash plugin + 3 = Click to play</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44795SV-57629CCI-000169Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings\ + Policy Name: Default Flash setting + Policy State: Enabled + Policy Value: Click to playUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy "DefaultPluginsSetting" is not shown or is not set to "3", this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\DefaultPluginsSetting + 3. If this key "DefaultPluginsSetting" does not exist or is not set to "3", this is a finding.SRG-APP-000080<GroupDescription></GroupDescription>DTBC-0045Session only based cookies must be disabled.<VulnDiscussion>Policy allows you to set a list of URL patterns that specify sites which are allowed to set session only cookies. If this policy is left not set the global default value will be used for all sites either from the 'DefaultCookiesSetting' policy if it is set, or the user's personal configuration otherwise. If the 'RestoreOnStartup' policy is set to restore URLs from previous sessions this policy will not be respected and cookies will be stored permanently for those sites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44799SV-57633CCI-000166Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings + Policy Name: Allow session only cookies on these sites + Policy State: Disabled + Policy Value: N/AUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If the policy ”CookiesSessionOnlyForUrls” exists, and has any defined values, this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\CookiesSessionOnlyForUrls + 3. If this key exists and has any defined values, this is a finding.SRG-APP-000456<GroupDescription></GroupDescription>DTBC-0050The version of Google Chrome running on the system must be a supported version.<VulnDiscussion>Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-44805SV-57639CCI-002605Install a supported version of Google Chrome.Universal method: +1. In the omnibox (address bar) type chrome://settings/help +2. Cross-reference the build information displayed with the Google Chrome site to identify, at minimum, the oldest supported build available. As of July 2019, this is 74.x.x. +3. If the installed version of Chrome is not supported by Google, this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0051URLs must be whitelisted for plugin use<VulnDiscussion>This policy allows you to set a list of URL patterns that specify sites which are allowed to run the Flash plugin. If this policy is left not set, the global default value will be used for all sites either from the "DefaultPluginsSetting" policy if it is set, or the user’s personal configuration otherwise. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-52795SV-67011CCI-000381Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings + Policy Name: Allow the Flash plugin on these sites + Policy State: Enabled + Policy Value 1: [*.]mil + Policy Value 2: [*.]govUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If PluginsAllowedForUrls is not displayed under the Policy Name column or it is not set to a list of administrator approved URLs under the Policy Value column, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the PluginsAllowedForUrls key does not exist and it does not contain a list of administrator approved URLs then this is a finding. + +Suggested: the set or subset of [*.]mil and [*.]govSRG-APP-000089<GroupDescription></GroupDescription>DTBC-0052Deletion of browser history must be disabled.<VulnDiscussion>Disabling this function will prevent users from deleting their browsing history, which could be used to identify malicious websites and files that could later be used for anti-virus and Intrusion Detection System (IDS) signatures. Furthermore, preventing users from deleting browsing history could be used to identify abusive web surfing on government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-75165SV-89845CCI-000169Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Enable deleting browser and download history + Policy State: Disabled + Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy "AllowDeletingBrowserHistory" is not shown or is not set to false, this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "AllowDeletingBrowserHistory" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0053Prompt for download location must be enabled.<VulnDiscussion>If the policy is enabled, the user will be asked where to save each file before downloading. If the policy is disabled, downloads will start immediately, and the user will not be asked where to save the file. If the policy is not configured, the user will be able to change this setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-94633V-79929CCI-000169Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Ask where to save each file before downloading + Policy State: Enabled + Policy Value: N/AUniversal method: +1. In the omnibox (address bar) type chrome:// policy +2. If "PromptForDownloadLocation" is not displayed under the "Policy Name" column or it is not set to "true" under the "Policy Value" column, then this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "PromptForDownloadLocation" value name does not exist or its value data is not set to "1", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0055Download restrictions must be configured.<VulnDiscussion>Configure the type of downloads that Google Chrome will completely block, without letting users override the security decision. If you set this policy, Google Chrome will prevent certain types of downloads, and will not let user bypass the security warnings. When the "Block dangerous downloads" option is chosen, all downloads are allowed, except for those that carry SafeBrowsing warnings. When the "Block potentially dangerous downloads" option is chosen, all downloads allowed, except for those that carry SafeBrowsing warnings of potentially dangerous downloads. When the "Block all downloads" option is chosen, all downloads are blocked. When this policy is not set, (or the "No special restrictions" option is chosen), the downloads will go through the usual security restrictions based on SafeBrowsing analysis results. + +Note that these restrictions apply to downloads triggered from web page content, as well as the 'download link...' context menu option. These restrictions do not apply to the save / download of the currently displayed page, nor does it apply to saving as PDF from the printing options. See https://developers.google.com/safe-browsing for more info on SafeBrowsing. +0 = No special restrictions +1 = Block dangerous downloads +2 = Block potentially dangerous downloads +3 = Block all downloads</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-94635V-79931CCI-000169If the system is on the SIPRNet, this requirement is NA. +Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Allow download restrictions +Policy State: 1 or 2 +Policy Value: N/AIf the system is on the SIPRNet, this requirement is NA. +Universal method: +1. In the omnibox (address bar) type chrome:// policy +2. If "DownloadRestrictions" is not displayed under the "Policy Name" column or it is not set to "1" or "2" under the "Policy Value" column, then this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "DownloadRestrictions" value name does not exist or its value data is not set to "1" or "2", then this is a finding.SRG-APP-000416<GroupDescription></GroupDescription>DTBC-0056Chrome must be configured to allow only TLS.<VulnDiscussion>If this policy is not configured then Google Chrome uses a default minimum version, which is TLS 1.0. Otherwise, it may be set to one of the following values: "tls1", "tls1.1" or "tls1.2". +When set, Google Chrome will not use SSL/TLS versions less than the specified version. An unrecognized value will be ignored. +"tls1" = TLS 1.0 +"tls1.1" = TLS 1.1 +"tls1.2" = TLS 1.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96297V-81583CCI-002450Windows group policy: + 1. Open the “group policy editor” tool with gpedit.msc. + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Minimum SSL version enabled + Policy State: Enabled + Policy Value: TLS 1.1Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "SSLVersionMin" is not displayed under the "Policy Name" column or it is not set to "tls1.1", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "SSLVersionMin" value name does not exist or its value data is not set to "tls1.1", this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0057Safe Browsing Extended Reporting must be disabled.<VulnDiscussion>Enables Google Chrome's Safe Browsing Extended Reporting and prevents users from changing this setting. Extended Reporting sends some system information and page content to Google servers to help detect dangerous apps and sites. +If the setting is set to "True", then reports will be created and sent whenever necessary (such as when a security interstitial is shown). +If the setting is set to "False", reports will never be sent. +If this policy is set to "True" or "False", the user will not be able to modify the setting. +If this policy is left unset, the user will be able to change the setting and decide whether to send reports or not.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96299V-81585CCI-001166Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Safe Browsing settings\ +Policy Name: Enable Safe Browsing Extended Reporting +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "SafeBrowsingExtendedReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "SafeBrowsingExtendedReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0058WebUSB must be disabled.<VulnDiscussion>Allows you to set whether websites are allowed to get access to connected USB devices. Access can be completely blocked, or the user can be asked every time a website wants to get access to connected USB devices. +If this policy is left not set, ”3” will be used, and the user will be able to change it. +2 = Do not allow any site to request access to USB devices via the WebUSB API +3 = Allow sites to ask the user to grant access to a connected USB device</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96301V-81587CCI-000381Windows group policy: + 1. Open the “group policy editor” tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Content Settings + Policy Name: Control use of the WebUSB API + Policy State: Enabled + Policy Value: 2 +Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "DefaultWebUsbGuardSetting" is not displayed under the "Policy Name" column or it is not set to "2", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "DefaultWebUsbGuardSetting" value name does not exist or its value data is not set to "2", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0060Chrome Cleanup must be disabled.<VulnDiscussion>If set to “False”, prevents Chrome Cleanup from scanning the system for unwanted software and performing cleanups. Manually triggering Chrome Cleanup from chrome://settings/cleanup is disabled. +If set to “True” or unset, Chrome Cleanup periodically scans the system for unwanted software and should any be found, will ask the user if they wish to remove it. Manually triggering Chrome Cleanup from chrome://settings is enabled. +This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96305V-81591CCI-000169Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Enables Chrome Cleanup on Windows +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "ChromeCleanupEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "ChromeCleanupEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000089<GroupDescription></GroupDescription>DTBC-0061Chrome Cleanup reporting must be disabled.<VulnDiscussion>If unset, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will then ask the user if they wish to clean up the unwanted software. The user can choose to share results of the cleanup with Google to assist with future unwanted software detection. These results contain file metadata and registry keys as described by the Chrome Privacy Whitepaper. +If set to “false”, should Chrome Cleanup detect unwanted software, it will not report metadata about the scan to Google, overriding any policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will not be reported to Google and the user will not have the option to do so. +If set to “true”, should Chrome Cleanup detect unwanted software, it may report metadata about the scan to Google in accordance with policy set by “SafeBrowsingExtendedReportingEnabled”. Chrome Cleanup will ask the user if they wish to clean up the unwanted software. Results of the cleanup will be reported to Google and the user will not have the option to prevent it. +This policy is available only on Windows instances that are joined to a Microsoft Active Directory domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96307V-81593CCI-000169Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Control how Chrome Cleanup reports data to Google +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "ChromeCleanupReportingEnabled" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "ChromeCleanupReportingEnabled" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0063Google Cast must be disabled.<VulnDiscussion>If this policy is set to ”True” or is not set, Google Cast will be enabled, and users will be able to launch it from the app menu, page context menus, media controls on Cast-enabled websites, and (if shown) the “Cast toolbar” icon. +If this policy set to ”False”, Google Cast will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96311V-81597CCI-000381Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\Google Cast +Policy Name: Enable Google Cast +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "EnableMediaRouter" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "EnableMediaRouter" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTBC-0064Autoplay must be disabled.<VulnDiscussion>Allows you to control if videos can play automatically (without user consent) with audio content in Google Chrome. +If the policy is set to “True”, Google Chrome is allowed to autoplay media. If the policy is set to “False”, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns. By default, Google Chrome is not allowed to autoplay media. The “AutoplayWhitelist” policy can be used to override this for certain URL patterns.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96295V-81581CCI-000381Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Allow media autoplay +Policy State: Disabled +Policy Value: N/AUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If "AutoplayAllowed" is not displayed under the "Policy Name" column or it is not set to "False", this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the "AutoplayAllowed" value name does not exist or its value data is not set to "0", this is a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTBC-0065URLs must be whitelisted for Autoplay use.<VulnDiscussion>Controls the whitelist of URL patterns that autoplay will always be enabled on. +If the “AutoplayAllowed” policy is set to “True” then this policy will have no effect. +If the “AutoplayAllowed” policy is set to “False” then any URL patterns set in this policy will still be allowed to play.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-96303V-81589CCI-001170Windows group policy: +1. Open the “group policy editor” tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Allow media autoplay on a whitelist of URL patterns +Policy State: Enabled +Policy Value 1: [*.]mil +Policy Value 2: [*.]govUniversal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If “AutoplayWhitelist” is not displayed under the “Policy Name” column or it is not set to a list of administrator-approved URLs under the “Policy Value” column, this is a finding. +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the “AutoplayWhitelist” key does not exist and it does not contain a list of administrator-approved URLs, this is a finding. +Suggested: the set or subset of [*.]mil and [*.]govSRG-APP-000206<GroupDescription></GroupDescription>DTBC-0066Anonymized data collection must be disabled.<VulnDiscussion>Enable URL-keyed anonymized data collection in Google Chrome and prevent users from changing this setting. +URL-keyed anonymized data collection sends URLs of pages the user visits to Google to make searches and browsing better. +If you enable this policy, URL-keyed anonymized data collection is always active. +If you disable this policy, URL-keyed anonymized data collection is never active. +If this policy is left not set, URL-keyed anonymized data collection will be enabled but the user will be able to change it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-91203SV-101303CCI-001166Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable URL-keyed anonymized data collection +Policy State: Disabled +Policy Value: NAUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If "UrlKeyedAnonymizedDataCollectionEnabled" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the “UrlKeyedAnonymizedDataCollectionEnabled" value name does not exist or its value data is not set to "0," this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0067Collection of WebRTC event logs must be disabled.<VulnDiscussion>If the policy is set to “true”, Google Chrome is allowed to collect WebRTC event logs from Google services (e.g., Google Meet), and upload those logs to Google. +If the policy is set to “false”, or is unset, Google Chrome may not collect nor upload such logs. +These logs contain diagnostic information helpful when debugging issues with audio or video calls in Chrome, such as the time and size of sent and received RTP packets, feedback about congestion on the network, and metadata about time and quality of audio and video frames. These logs do not contain audio or video contents from the call. +This data collection by Chrome can only be triggered by Google's web services, such as Google Hangouts or Google Meet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-91205SV-101305CCI-001166Windows group policy: +1. Open the group policy editor tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Allow collection of WebRTC event logs from Google services +Policy State: Disabled +Policy Value: NAUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If "WebRtcEventLogCollectionAllowed" is not displayed under the “Policy Name” column or it is not set to "0" under the “Policy Value” column, this is a finding. +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the "WebRtcEventLogCollectionAllowed" value name does not exist or its value data is not set to "0," this is a finding.SRG-APP-000266<GroupDescription></GroupDescription>DTBC-0068Chrome development tools must be disabled.<VulnDiscussion>While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-97525SV-106629CCI-001312Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome +Policy Name: Control where Developer Tools can be used +Policy State: Enabled +Policy Value: Disallow usage of the Developer ToolsUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If the policy "DeveloperToolsAvailability" is not shown or is not set to "2", this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the key "DeveloperToolsAvailability" does not exist or is not set to "2", this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0069Guest Mode must be disabled.<VulnDiscussion>If this policy is set to true or not configured, Google Chrome will enable guest logins. Guest logins are Google Chrome profiles where all windows are in incognito mode. + +If this policy is set to false, Google Chrome will not allow guest profiles to be started.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-102867SV-111829CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable guest mode in browser +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If BrowserGuestModeEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the BrowserGuestModeEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0070AutoFill for credit cards must be disabled.<VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete credit card information in web forms using previously stored information. +If this setting is disabled, Autofill will never suggest or fill credit card information, nor will it save additional credit card information that the user might submit while browsing the web. + +If this setting is enabled or has no value, the user will be able to control Autofill for credit cards in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081V-102869SV-111831CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable AutoFill for credit cards +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If AutofillCreditCardEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the AutofillCreditCardEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0071AutoFill for addresses must be disabled.<VulnDiscussion>Enabling Google Chrome's AutoFill feature allows users to auto complete address information in web forms using previously stored information. +If this setting is disabled, Autofill will never suggest or fill address information, nor will it save additional address information that the user might submit while browsing the web. + +If this setting is enabled or has no value, the user will be able to control Autofill for addresses in the UI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111833V-102871CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Enable AutoFill for addresses +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If AutofillAddressEnabled is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the AutofillAddressEnabled value name does not exist or its value data is not set to 0, this is a finding.SRG-APP-000206<GroupDescription></GroupDescription>DTBC-0072Import AutoFill form data must be disabled.<VulnDiscussion>This policy forces the autofill form data to be imported from the previous default browser if enabled. If enabled, this policy also affects the import dialog. +If disabled, the autofill form data is not imported. + +If it is not set, the user may be asked whether to import, or importing may happen automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Google Chrome Current WindowsDISADPMS TargetGoogle Chrome Current Windows4081SV-111835V-102873CCI-001166Windows group policy: +1. Open the "group policy editor" tool with gpedit.msc +2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ +Policy Name: Import autofill form data from default browser on first run +Policy State: DisabledUniversal method: +1. In the omnibox (address bar) type chrome://policy +2. If ImportAutofillFormData is not displayed under the Policy Name column or it is not set to 0 under the Policy Value column, this is a finding. + +Windows method: +1. Start regedit +2. Navigate to HKLM\Software\Policies\Google\Chrome\ +3. If the ImportAutofillFormData value name does not exist or its value data is not set to 0, this is a finding. + diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R21_Manual-xccdf.log b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R21_Manual-xccdf.log deleted file mode 100644 index 50195f3e0..000000000 --- a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R21_Manual-xccdf.log +++ /dev/null @@ -1,14 +0,0 @@ -V-63423::"Minimum password length,"::"Minimum password length" -V-63429::"Store password using reversible encryption"::"Store passwords using reversible encryption" -V-63685::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = 'Block'; ValueName = 'ShellSmartScreenLevel'; ValueType = 'String'}HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = $null; ValueName = 'EnableSmartScreen'; ValueType = 'Dword'; OrganizationValueTestString = "{0} -eq 1|2"} -V-68819::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ -V-77209::ImageLoad OverrideBlockRemoteImages: False::OverrideBlockRemoteImages: False -V-74413::Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\::Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\ -V-88203::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList'; ValueData = $null; ValueName = $null; ValueType = 'String'; OrganizationValueTestString = "both ValueName and ValueData equal the Organization's Tenant Guid, otherwise both should be '1111-2222-3333-4444'"} -V-94861::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE'; ValueData = $null; ValueName = 'MinimumPIN'; ValueType = 'DWord'; OrganizationValueTestString = 'ValueData is set to 0x00000006 (6) or greater '} -V-99559::Value data: 0::Value: 0x00000000 (0) -V-99561::Value data: 1::Value: 0x00000001 (1) -V-100093::RegistryPath\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam::Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam -V-100093::This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.::ValueType: REG_SZ -V-100093::This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.::Value: Deny -V-100093::Value Name: Deny::ValueName: Value diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R21_Manual-xccdf.xml b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R21_Manual-xccdf.xml deleted file mode 100644 index 3e3ed80ae..000000000 --- a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V1R21_Manual-xccdf.xml +++ /dev/null @@ -1,4583 +0,0 @@ -acceptedWindows 10 Security Technical Implementation GuideThe Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.Developed_by_DISA_for_the_DoDDISASTIG.DOD.MILRelease: 21 Benchmark Date: 24 Apr 20201I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>WN10-00-000005<GroupDescription></GroupDescription>WN10-00-000005Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.<VulnDiscussion>Features such as Credential Guard use virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Virtualization based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Use Windows 10 Enterprise 64-bit version for domain-joined systems.Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version. - -For standalone systems, this is NA. - -Open "Settings". - -Select "System", then "About". - -If "Edition" is not "Windows 10 Enterprise", this is a finding. - -If "System type" is not "64-bit operating system…", this is a finding.WN10-CC-000310<GroupDescription></GroupDescription>WN10-CC-000310Users must be prevented from changing installation options.<VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001812Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ - -Value Name: EnableUserControl - -Value Type: REG_DWORD -Value: 0WN10-00-000010<GroupDescription></GroupDescription>WN10-00-000010Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.<VulnDiscussion>Credential Guard uses virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366For standalone systems, this is NA. - -Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. - -For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Ensure domain-joined systems must have a Trusted Platform Module (TPM) that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) - -The TPM must be enabled in the firmware. -Run "tpm.msc" for configuration options in Windows.Verify domain-joined systems have a TPM enabled and ready for use. - -For standalone systems, this is NA. - -Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. - -For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Verify the system has a TPM and is ready for use. -Run "tpm.msc". -Review the sections in the center pane. -"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". -TPM Manufacturer Information - Specific Version = 2.0 or 1.2 - -If a TPM is not found or is not ready for use, this is a finding.WN10-CC-000315<GroupDescription></GroupDescription>WN10-CC-000315The Windows Installer Always install with elevated privileges must be disabled.<VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001812Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ - -Value Name: AlwaysInstallElevated - -Value Type: REG_DWORD -Value: 0WN10-CC-000320<GroupDescription></GroupDescription>WN10-CC-000320Users must be notified if a web-based program attempts to install software.<VulnDiscussion>Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled".The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "0", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ - -Value Name: SafeForScripting - -Value Type: REG_DWORD -Value: 0 (or if the Value Name does not exist)WN10-CC-000325<GroupDescription></GroupDescription>WN10-CC-000325Automatically signing in the last interactive user after a system-initiated restart must be disabled.<VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: DisableAutomaticRestartSignOn - -Value Type: REG_DWORD -Value: 1WN10-CC-000330<GroupDescription></GroupDescription>WN10-CC-000330The Windows Remote Management (WinRM) client must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000877Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ - -Value Name: AllowBasic - -Value Type: REG_DWORD -Value: 0WN10-00-000030<GroupDescription></GroupDescription>WN10-00-000030Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.<VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001199CCI-002475CCI-002476Enable full disk encryption on all information systems (including SIPRNET) using BitLocker. - -BitLocker, included in Windows, can be enabled in the Control Panel under "BitLocker Drive Encryption" as well as other management tools. - -NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).Verify all Windows 10 information systems (including SIPRNET) employ BitLocker for full disk encryption. - -If full disk encryption using BitLocker is not implemented, this is a finding. - -Verify BitLocker is turned on for the operating system drive and any fixed data drives. - -Open "BitLocker Drive Encryption" from the Control Panel. - -If the operating system drive or any fixed data drives have "Turn on BitLocker", this is a finding. - -NOTE: An alternate encryption application may be used in lieu of BitLocker providing it is configured for full disk encryption and satisfies the pre-boot authentication requirements (WN10-00-000031 and WN10-00-000032).WN10-CC-000335<GroupDescription></GroupDescription>WN10-CC-000335The Windows Remote Management (WinRM) client must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002890CCI-003123Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ - -Value Name: AllowUnencryptedTraffic - -Value Type: REG_DWORD -Value: 0WN10-CC-000360<GroupDescription></GroupDescription>WN10-CC-000360The Windows Remote Management (WinRM) client must not use Digest authentication.<VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000877Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ - -Value Name: AllowDigest - -Value Type: REG_DWORD -Value: 0WN10-00-000025<GroupDescription></GroupDescription>WN10-00-000025Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).<VulnDiscussion>An approved tool for continuous network scanning must be installed and configured to run. - -Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - -To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001233Install DoD approved HBSS software and ensure it is operating continuously.Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. - -If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding.WN10-00-000035<GroupDescription></GroupDescription>WN10-00-000035The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. - -The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001774Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - -Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows 10 Enterprise. - -If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. - -Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: - -https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmThis is applicable to unclassified systems; for other systems this is NA. - -Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. This must include packaged apps such as the universals apps installed by default on systems. - -If an application whitelisting program is not in use on the system, this is a finding. - -Configuration of whitelisting applications will vary by the program. - -AppLocker is a whitelisting application built into Windows 10 Enterprise. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. - -If AppLocker is used, perform the following to view the configuration of AppLocker: -Run "PowerShell". - -Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: -Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml - -This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. - -Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: - -https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmWN10-CC-000345<GroupDescription></GroupDescription>WN10-CC-000345The Windows Remote Management (WinRM) service must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000877Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ - -Value Name: AllowBasic - -Value Type: REG_DWORD -Value: 0WN10-00-000040<GroupDescription></GroupDescription>WN10-00-000040Windows 10 systems must be maintained at a supported servicing level.<VulnDiscussion>Windows 10 is maintained by Microsoft at servicing levels for specific periods of time to support Windows as a Service. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities which leaves them subject to exploitation. - -New versions with feature updates are planned to be released on a semi-annual basis with an estimated support timeframe of 18 to 30 months depending on the release. Support for previously released versions has been extended for Enterprise editions. - -A separate servicing branch intended for special purpose systems is the Long-Term Servicing Channel (LTSC, formerly Branch - LTSB) which will receive security updates for 10 years but excludes feature updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Update systems on the Semi-Annual Channel to "Microsoft Windows Version 1709 (OS Build 16299.0)" or greater. - -It is recommended systems be upgraded to the most recently released version. - -Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) may be at the following versions: - -v1507 (Build 10240) -v1607 (Build 14393) -v1809 (Build 17763)Run "winver.exe". - -If the "About Windows" dialog box does not display: - -"Microsoft Windows Version 1709 (OS Build 16299.0)" - -or greater, this is a finding. - -Note: Microsoft has extended support for previous versions providing critical and important updates for Windows 10 Enterprise. - -Microsoft scheduled end of support dates for current Semi-Annual Channel versions: -v1703 - 8 October 2019 -v1709 - 14 April 2020 -v1803 - 10 November 2020 -v1809 - 13 April 2021 -v1903 - 8 December 2020 - -No preview versions will be used in a production environment. - -Special purpose systems using the Long-Term Servicing Branch\Channel (LTSC\B) may be at following versions which are not a finding: - -v1507 (Build 10240) -v1607 (Build 14393) -v1809 (Build 17763)WN10-00-000045<GroupDescription></GroupDescription>WN10-00-000045The Windows 10 system must use an anti-virus program.<VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Install an anti-virus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. - -If there is no anti-virus solution installed on the system, this is a finding.WN10-00-000050<GroupDescription></GroupDescription>WN10-00-000050Local volumes must be formatted using NTFS.<VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using the NTFS file system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213Format all local volumes to use NTFS.Run "Computer Management". -Navigate to Storage >> Disk Management. - -If the "File System" column does not indicate "NTFS" for each volume assigned a drive letter, this is a finding. - -This does not apply to system partitions such the Recovery and EFI System Partition.WN10-00-000055<GroupDescription></GroupDescription>WN10-00-000055Alternate operating systems must not be permitted on the same system.<VulnDiscussion>Allowing other operating systems to run on a secure system may allow security to be circumvented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure Windows 10 is the only operating system on a device. Remove alternate operating systems.Verify the system does not include other operating system installations. - -Run "Advanced System Settings". -Select the "Advanced" tab. -Click the "Settings" button in the "Startup and Recovery" section. - -If the drop-down list box "Default operating system:" shows any operating system other than Windows 10, this is a finding.WN10-00-000060<GroupDescription></GroupDescription>WN10-00-000060Non system-created file shares on a system must limit access to groups that require it.<VulnDiscussion>Shares which provide network access, should not typically exist on a workstation except for system-created administrative shares, and could potentially expose sensitive information. If a share is necessary, share permissions, as well as NTFS permissions, must be reconfigured to give the minimum access to those accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001090If a non system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. - -Remove any unnecessary non-system created shares.Non system-created shares should not typically exist on workstations. - -If only system-created shares exist on the system this is NA. - -Run "Computer Management". -Navigate to System Tools >> Shared Folders >> Shares. - -If the only shares listed are "ADMIN$", "C$" and "IPC$", this is NA. -(Selecting Properties for system-created shares will display a message that it has been shared for administrative purposes.) - -Right click any non-system-created shares. -Select "Properties". -Select the "Share Permissions" tab. - -Verify the necessity of any shares found. -If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. - -Select the "Security" tab. - -If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.WN10-00-000065<GroupDescription></GroupDescription>WN10-00-000065Unused accounts must be disabled or removed from the system after 35 days of inactivity.<VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disable until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000795Regularly review local accounts and verify their necessity. Disable or delete any active accounts that have not been used in the last 35 days.Run "PowerShell". -Copy the lines below to the PowerShell window and enter. - -"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { - $user = ([ADSI]$_.Path) - $lastLogin = $user.Properties.LastLogin.Value - $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 - if ($lastLogin -eq $null) { - $lastLogin = 'Never' - } - Write-Host $user.Name $lastLogin $enabled -}" - -This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). -For example: User1 10/31/2015 5:49:56 AM True - -Review the list to determine the finding validity for each account reported. - -Exclude the following accounts: -Built-in administrator account (Disabled, SID ending in 500) -Built-in guest account (Disabled, SID ending in 501) -Built-in DefaultAccount (Disabled, SID ending in 503) -Local administrator account - -If any enabled accounts have not been logged on to within the past 35 days, this is a finding. - -Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.WN10-00-000070<GroupDescription></GroupDescription>WN10-00-000070Only accounts responsible for the administration of a system must have Administrator rights on the system.<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. - -System administrators must log on to systems only using accounts with the minimum level of authority necessary. - -For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group (see V-36434 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks. - -Standard user accounts must not be members of the local administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. - -For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. - -Remove any standard user accounts.Run "Computer Management". -Navigate to System Tools >> Local Users and Groups >> Groups. -Review the members of the Administrators group. -Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. - -For domain-joined workstations, the Domain Admins group must be replaced by a domain workstation administrator group. - -Standard user accounts must not be members of the local administrator group. - -If prohibited accounts are members of the local administrators group, this is a finding. - -The built-in Administrator account or other required administrative accounts would not be a finding.WN10-00-000075<GroupDescription></GroupDescription>WN10-00-000075Only accounts responsible for the backup operations must be members of the Backup Operators group.<VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Create separate accounts for backup operations for users with this privilege.Run "Computer Management". -Navigate to System Tools >> Local Users and Groups >> Groups. -Review the members of the Backup Operators group. - -If the group contains no accounts, this is not a finding. - -If the group contains any accounts, the accounts must be specifically for backup functions. - -If the group contains any standard user accounts used for performing normal user tasks, this is a finding.WN10-00-000080<GroupDescription></GroupDescription>WN10-00-000080Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.<VulnDiscussion>Allowing other operating systems to run on a secure system may allow users to circumvent security. For Hyper-V, preventing unauthorized users from being assigned to the Hyper-V Administrators group will prevent them from accessing or creating virtual machines on the system. The Hyper-V Hypervisor is used by Virtualization Based Security features such as Credential Guard on Windows 10; however, it is not the full Hyper-V installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381For Hyper-V, remove any unauthorized groups or user accounts from the "Hyper-V Administrators" group. - -For hosted hypervisors other than Hyper-V, restrict access to create or run virtual machines to authorized user accounts only.If a hosted hypervisor (Hyper-V, VMware Workstation, etc.) is installed on the system, verify only authorized user accounts are allowed to run virtual machines. - -For Hyper-V, Run "Computer Management". -Navigate to System Tools >> Local Users and Groups >> Groups. -Double click on "Hyper-V Administrators". - -If any unauthorized groups or user accounts are listed in "Members:", this is a finding. - -For hosted hypervisors other than Hyper-V, verify only authorized user accounts have access to run the virtual machines. Restrictions may be enforced by access to the physical system, software restriction policies, or access restrictions built in to the application. - -If any unauthorized groups or user accounts have access to create or run virtual machines, this is a finding. - -All users authorized to create or run virtual machines must be documented with the ISSM/ISSO. Accounts nested within group accounts must be documented as individual accounts and not the group accounts.WN10-00-000085<GroupDescription></GroupDescription>WN10-00-000085Standard local user accounts must not exist on a system in a domain.<VulnDiscussion>To minimize potential points of attack, local user accounts, other than built-in accounts and local administrator accounts, must not exist on a workstation in a domain. Users must log onto workstations in a domain with their domain accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Limit local user accounts on domain-joined systems. Remove any unauthorized local accounts.Run "Computer Management". -Navigate to System Tools >> Local Users and Groups >> Users. - -If local users other than the accounts listed below exist on a workstation in a domain, this is a finding. - -Built-in Administrator account (Disabled) -Built-in Guest account (Disabled) -Built-in DefaultAccount (Disabled) -Built-in defaultuser0 (Disabled) -Built-in WDAGUtilityAccount (Disabled) -Local administrator account(s) - -All of the built-in accounts may not exist on a system, depending on the Windows 10 version.WN10-CC-000350<GroupDescription></GroupDescription>WN10-CC-000350The Windows Remote Management (WinRM) service must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002890CCI-003123Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ - -Value Name: AllowUnencryptedTraffic - -Value Type: REG_DWORD -Value: 0WN10-00-000090<GroupDescription></GroupDescription>WN10-00-000090Accounts must be configured to require password expiration.<VulnDiscussion>Passwords that do not expire increase exposure with a greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000199Configure all passwords to expire. -Run "Computer Management". -Navigate to System Tools >> Local Users and Groups >> Users. -Double click each active account. -Ensure "Password never expires" is not checked on all active accounts.Run "Computer Management". -Navigate to System Tools >> Local Users and Groups >> Users. -Double click each active account. - -If "Password never expires" is selected for any account, this is a finding.WN10-00-000095<GroupDescription></GroupDescription>WN10-00-000095Permissions for system files and directories must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002165Maintain the default file system permissions and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN10-SO-000160).The default file system permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN10-SO-000160). - -If the default file system permissions are maintained and the referenced option is set to "Disabled", this is not a finding. - -Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) - -Viewing in File Explorer: -Select the "Security" tab, and the "Advanced" button. - -C:\ -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Administrators - Full control - This folder, subfolders and files -SYSTEM - Full control - This folder, subfolders and files -Users - Read & execute - This folder, subfolders and files -Authenticated Users - Modify - Subfolders and files only -Authenticated Users - Create folders / append data - This folder only - -\Program Files -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files -ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders and files - -\Windows -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files -ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders and files - -Alternately use icacls. - -Run "CMD" as administrator. -Enter "icacls" followed by the directory. - -icacls c:\ -icacls "c:\program files" -icacls c:\windows - -The following results will be displayed as each is entered: - -c:\ -BUILTIN\Administrators:(OI)(CI)(F) -NT AUTHORITY\SYSTEM:(OI)(CI)(F) -BUILTIN\Users:(OI)(CI)(RX) -NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) -NT AUTHORITY\Authenticated Users:(AD) -Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW) -Successfully processed 1 files; Failed processing 0 files - -c:\program files -NT SERVICE\TrustedInstaller:(F) -NT SERVICE\TrustedInstaller:(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(M) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -BUILTIN\Users:(RX) -BUILTIN\Users:(OI)(CI)(IO)(GR,GE) -CREATOR OWNER:(OI)(CI)(IO)(F) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -Successfully processed 1 files; Failed processing 0 files - -c:\windows -NT SERVICE\TrustedInstaller:(F) -NT SERVICE\TrustedInstaller:(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(M) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -BUILTIN\Users:(RX) -BUILTIN\Users:(OI)(CI)(IO)(GR,GE) -CREATOR OWNER:(OI)(CI)(IO)(F) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -Successfully processed 1 files; Failed processing 0 filesWN10-CC-000355<GroupDescription></GroupDescription>WN10-CC-000355The Windows Remote Management (WinRM) service must not store RunAs credentials.<VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ - -Value Name: DisableRunAs - -Value Type: REG_DWORD -Value: 1WN10-00-000100<GroupDescription></GroupDescription>WN10-00-000100Internet Information System (IIS) or its subcomponents must not be installed on a workstation.<VulnDiscussion>Installation of Internet Information System (IIS) may allow unauthorized internet services to be hosted. Websites must only be hosted on servers that have been designed for that purpose and can be adequately secured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Uninstall "Internet Information Services" or "Internet Information Services Hostable Web Core" from the system.IIS is not installed by default. Verify it has not been installed on the system. - -Run "Programs and Features". -Select "Turn Windows features on or off". - -If the entries for "Internet Information Services" or "Internet Information Services Hostable Web Core" are selected, this is a finding. - -If an application requires IIS or a subset to be installed to function, this needs be documented with the ISSO. In addition, any applicable requirements from the IIS STIG must be addressed.WN10-00-000105<GroupDescription></GroupDescription>WN10-00-000105Simple Network Management Protocol (SNMP) must not be installed on the system.<VulnDiscussion>Some protocols and services do not support required security features, such as encrypting passwords or traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000382Uninstall "Simple Network Management Protocol (SNMP)" from the system. - -Run "Programs and Features". -Select "Turn Windows Features on or off". -De-select "Simple Network Management Protocol (SNMP)"."SNMP" is not installed by default. Verify it has not been installed. - -Navigate to the Windows\System32 directory. - -If the "SNMP" application exists, this is a finding.WN10-00-000110<GroupDescription></GroupDescription>WN10-00-000110Simple TCP/IP Services must not be installed on the system.<VulnDiscussion>Some protocols and services do not support required security features, such as encrypting passwords or traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Uninstall "Simple TCPIP Services (i.e. echo, daytime etc)" from the system. - -Run "Programs and Features". -Select "Turn Windows Features on or off". -De-select "Simple TCPIP Services (i.e. echo, daytime etc)"."Simple TCP/IP Services" is not installed by default. Verify it has not been installed. - -Run "Services.msc". - -If "Simple TCP/IP Services" is listed, this is a finding.WN10-00-000115<GroupDescription></GroupDescription>WN10-00-000115The Telnet Client must not be installed on the system.<VulnDiscussion>Some protocols and services do not support required security features, such as encrypting passwords or traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000382Uninstall "Telnet Client" from the system. - -Run "Programs and Features". -Select "Turn Windows Features on or off". - -De-select "Telnet Client".The "Telnet Client" is not installed by default. Verify it has not been installed. - -Navigate to the Windows\System32 directory. - -If the "telnet" application exists, this is a finding.WN10-00-000120<GroupDescription></GroupDescription>WN10-00-000120The TFTP Client must not be installed on the system.<VulnDiscussion>Some protocols and services do not support required security features, such as encrypting passwords or traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000382Uninstall "TFTP Client" from the system. - -Run "Programs and Features". -Select "Turn Windows Features on or off". - -De-select "TFTP Client".The "TFTP Client" is not installed by default. Verify it has not been installed. - -Navigate to the Windows\System32 directory. - -If the "TFTP" application exists, this is a finding.WN10-00-000130<GroupDescription></GroupDescription>WN10-00-000130Software certificate installation files must be removed from Windows 10.<VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Remove any certificate installation files (*.p12 and *.pfx) found on a system. - -Note: This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight certificate files.Search all drives for *.p12 and *.pfx files. - -If any files with these extensions exist, this is a finding. - -This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager) or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.WN10-00-000135<GroupDescription></GroupDescription>WN10-00-000135A host-based firewall must be installed and enabled on the system.<VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Install and enable a host-based firewall on the system.Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. - -The configuration requirements will be determined by the applicable firewall STIG.WN10-00-000140<GroupDescription></GroupDescription>WN10-00-000140Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.<VulnDiscussion>Allowing inbound access to domain workstations from other systems may allow lateral movement across systems if credentials are compromised. Limiting inbound connections only from authorized remote management systems will help limit this exposure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure firewall exceptions to inbound connections on domain workstations to include only authorized remote management hosts. - -Configure only inbound connection exceptions for authorized remote management hosts. -Computer Configuration >> Windows Settings >> Security Settings >> Windows Defender Firewall with Advanced Security >> Windows Defender Firewall with Advanced Security >> Inbound Rules (this link will be in the right pane) - -For any inbound rules that allow connections, configure the Scope for Remote IP address to those of authorized remote management hosts. This may be defined as an IP address, subnet or range. Apply the rule to all firewall profiles. - -If a third-party firewall is used, configure inbound exceptions to only include authorized remote management hosts.Verify firewall exceptions to inbound connections on domain workstations include only authorized remote management hosts. - -If allowed inbound exceptions are not limited to authorized remote management hosts, this is a finding. - -Review inbound firewall exceptions. -Computer Configuration >> Windows Settings >> Security Settings >> Windows Defender Firewall with Advanced Security >> Windows Defender Firewall with Advanced Security >> Inbound Rules (this link will be in the right pane) - -For any inbound rules that allow connections view the Scope for Remote IP address. This may be defined as an IP address, subnet, or range. The rule must apply to all firewall profiles. - -If a third-party firewall is used, ensure comparable settings are in place.WN10-AC-000005<GroupDescription></GroupDescription>WN10-AC-000005Windows 10 account lockout duration must be configured to 15 minutes or greater.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. - -A value of "0" is also acceptable, requiring an administrator to unlock the account.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. - -Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.WN10-AC-000010<GroupDescription></GroupDescription>WN10-AC-000010The number of allowed bad logon attempts must be configured to 3 or less.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000044Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or less invalid logon attempts (excluding "0" which is unacceptable).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.WN10-AC-000015<GroupDescription></GroupDescription>WN10-AC-000015The period of time before the bad logon counter is reset must be configured to 15 minutes.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to 0. The smaller this value is, the less effective the account lockout feature will be in protecting the local system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000044CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to "15" minutes.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.WN10-AC-000020<GroupDescription></GroupDescription>WN10-AC-000020The password history must be configured to 24 passwords remembered.<VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000200Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.WN10-AC-000025<GroupDescription></GroupDescription>WN10-AC-000025The maximum password age must be configured to 60 days or less.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000199Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum Password Age" to "60" days or less (excluding "0" which is unacceptable).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.WN10-AC-000030<GroupDescription></GroupDescription>WN10-AC-000030The minimum password age must be configured to at least 1 day.<VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000198Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum Password Age" to at least "1" day.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for the "Minimum password age" is less than "1" day, this is a finding.WN10-AC-000035<GroupDescription></GroupDescription>WN10-AC-000035Passwords must, at a minimum, be 14 characters.<VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000205Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for the "Minimum password length," is less than "14" characters, this is a finding.WN10-AC-000040<GroupDescription></GroupDescription>WN10-AC-000040The built-in Microsoft password complexity filter must be enabled.<VulnDiscussion>The use of complex passwords increases their strength against guessing and brute-force attacks. This setting configures the system to verify that newly created passwords conform to the Windows password complexity policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000192CCI-000193CCI-000194CCI-001619Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. - -If the site is using a password filter that requires this setting be set to "Disabled" for the filter to be used, this would not be considered a finding.WN10-AC-000045<GroupDescription></GroupDescription>WN10-AC-000045Reversible password encryption must be disabled.<VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000196Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.WN10-AU-000005<GroupDescription></GroupDescription>WN10-AU-000005The system must be configured to audit Account Logon - Credential Validation failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Account Logon >> Credential Validation - FailureWN10-AU-000010<GroupDescription></GroupDescription>WN10-AU-000010The system must be configured to audit Account Logon - Credential Validation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Account Logon >> Credential Validation - SuccessWN10-AU-000030<GroupDescription></GroupDescription>WN10-AU-000030The system must be configured to audit Account Management - Security Group Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security Group Management records events such as creating, deleting or changing of security groups, including changes in group members.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Account Management >> Security Group Management - SuccessWN10-AU-000035<GroupDescription></GroupDescription>WN10-AU-000035The system must be configured to audit Account Management - User Account Management failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Account Management >> User Account Management - FailureWN10-AU-000040<GroupDescription></GroupDescription>WN10-AU-000040The system must be configured to audit Account Management - User Account Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Account Management >> User Account Management - SuccessWN10-AU-000045<GroupDescription></GroupDescription>WN10-AU-000045The system must be configured to audit Detailed Tracking - PNP Activity successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Detailed Tracking >> Plug and Play Events - SuccessWN10-AU-000050<GroupDescription></GroupDescription>WN10-AU-000050The system must be configured to audit Detailed Tracking - Process Creation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Process creation records events related to the creation of a process and the source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Detailed Tracking >> Process Creation - SuccessWN10-AU-000060<GroupDescription></GroupDescription>WN10-AU-000060The system must be configured to audit Logon/Logoff - Group Membership successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Group Membership - SuccessWN10-AU-000065<GroupDescription></GroupDescription>WN10-AU-000065The system must be configured to audit Logon/Logoff - Logoff successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Logoff - SuccessWN10-AU-000070<GroupDescription></GroupDescription>WN10-AU-000070The system must be configured to audit Logon/Logoff - Logon failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Logon - FailureWN10-AU-000075<GroupDescription></GroupDescription>WN10-AU-000075The system must be configured to audit Logon/Logoff - Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Logon - SuccessWN10-AU-000080<GroupDescription></GroupDescription>WN10-AU-000080The system must be configured to audit Logon/Logoff - Special Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Special Logon records special logons which have administrative privileges and can be used to elevate processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Special Logon - SuccessWN10-AU-000085<GroupDescription></GroupDescription>WN10-AU-000085The system must be configured to audit Object Access - Removable Storage failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing object access for removable media records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Object Access >> Removable Storage - Failure - -Some virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.WN10-AU-000090<GroupDescription></GroupDescription>WN10-AU-000090The system must be configured to audit Object Access - Removable Storage successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing object access for removable media records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Object Access >> Removable Storage - Success - -Some virtual machines may generate excessive audit events for access to the virtual hard disk itself when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. This must be documented with the ISSO to include mitigations such as monitoring or restricting any actual removable storage connected to the VM.WN10-AU-000100<GroupDescription></GroupDescription>WN10-AU-000100The system must be configured to audit Policy Change - Audit Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Policy Change >> Audit Policy Change - SuccessWN10-AU-000105<GroupDescription></GroupDescription>WN10-AU-000105The system must be configured to audit Policy Change - Authentication Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authentication Policy Change records events related to changes in authentication policy including Kerberos policy and Trust changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Policy Change >> Authentication Policy Change - SuccessWN10-AU-000110<GroupDescription></GroupDescription>WN10-AU-000110The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Privilege Use >> Sensitive Privilege Use - FailureWN10-AU-000115<GroupDescription></GroupDescription>WN10-AU-000115The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Privilege Use >> Sensitive Privilege Use - SuccessWN10-AU-000120<GroupDescription></GroupDescription>WN10-AU-000120The system must be configured to audit System - IPSec Driver failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPSec Driver records events related to the IPSec Driver such as dropped packets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPSec Driver" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> IPSec Driver - FailureWN10-AU-000130<GroupDescription></GroupDescription>WN10-AU-000130The system must be configured to audit System - Other System Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> Other System Events - SuccessWN10-AU-000135<GroupDescription></GroupDescription>WN10-AU-000135The system must be configured to audit System - Other System Events failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> Other System Events - FailureWN10-AU-000140<GroupDescription></GroupDescription>WN10-AU-000140The system must be configured to audit System - Security State Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security State Change records events related to changes in the security state, such as startup and shutdown of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> Security State Change - SuccessWN10-AU-000150<GroupDescription></GroupDescription>WN10-AU-000150The system must be configured to audit System - Security System Extension successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security System Extension records events related to extension code being loaded by the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> Security System Extension - SuccessWN10-AU-000155<GroupDescription></GroupDescription>WN10-AU-000155The system must be configured to audit System - System Integrity failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> System Integrity - FailureWN10-AU-000160<GroupDescription></GroupDescription>WN10-AU-000160The system must be configured to audit System - System Integrity successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -System >> System Integrity - SuccessWN10-AU-000500<GroupDescription></GroupDescription>WN10-AU-000500The Application event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001849If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. - -Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ - -Value Name: MaxSize - -Value Type: REG_DWORD -Value: 0x00008000 (32768) (or greater)WN10-AU-000505<GroupDescription></GroupDescription>WN10-AU-000505The Security event log size must be configured to 1024000 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "1024000" or greater. - -If the system is configured to send audit records directly to an audit server, documented with the ISSO.If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ - -Value Name: MaxSize - -Value Type: REG_DWORD -Value: 0x000fa000 (1024000) (or greater)WN10-AU-000510<GroupDescription></GroupDescription>WN10-AU-000510The System event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001849If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. - -Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to send audit records directly to an audit server, this is NA. This must be documented with the ISSO. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ - -Value Name: MaxSize - -Value Type: REG_DWORD -Value: 0x00008000 (32768) (or greater)WN10-AU-000515<GroupDescription></GroupDescription>WN10-AU-000515Windows 10 permissions for the Application event log must prevent access by non-privileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000162CCI-000163CCI-000164Ensure the permissions on the Application event log (Application.evtx) are configured to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement. - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement. - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. - -If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. - -NOTE: If "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" has Special Permissions, this would not be a finding.WN10-AU-000520<GroupDescription></GroupDescription>WN10-AU-000520Windows 10 permissions for the Security event log must prevent access by non-privileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000162CCI-000163CCI-000164Ensure the permissions on the Security event log (Security.evtx) are configured to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement. - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement. - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. - -If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. - -NOTE: If "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" has Special Permissions, this would not be a finding.WN10-AU-000525<GroupDescription></GroupDescription>WN10-AU-000525Windows 10 permissions for the System event log must prevent access by non-privileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000162CCI-000163CCI-000164Ensure the permissions on the System event log (System.evtx) are configured to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement. - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement. - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. - -If the permissions for these files are not as restrictive as the ACLs listed, this is a finding. - -NOTE: If "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" has Special Permissions, this would not be a finding.WN10-CC-000005<GroupDescription></GroupDescription>WN10-CC-000005Camera access from the lock screen must be disabled.<VulnDiscussion>Enabling camera access from the lock screen could allow for unauthorized use. Requiring logon will ensure the device is only used by authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381If the device does not have a camera, this is NA. - -Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen camera" to "Enabled".If the device does not have a camera, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ - -Value Name: NoLockScreenCamera - -Value Type: REG_DWORD -Value: 1WN10-CC-000010<GroupDescription></GroupDescription>WN10-CC-000010The display of slide shows on the lock screen must be disabled.<VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ - -Value Name: NoLockScreenSlideshow - -Value Type: REG_DWORD -Value: 1WN10-CC-000020<GroupDescription></GroupDescription>WN10-CC-000020IPv6 source routing must be configured to highest protection.<VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". - -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and " MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ - -Value Name: DisableIpSourceRouting - -Value Type: REG_DWORD -Value: 2WN10-CC-000025<GroupDescription></GroupDescription>WN10-CC-000025The system must be configured to prevent IP source routing.<VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". - -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and " MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: DisableIPSourceRouting - -Value Type: REG_DWORD -Value: 2WN10-CC-000030<GroupDescription></GroupDescription>WN10-CC-000030The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.<VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". - -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and " MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: EnableICMPRedirect - -Value Type: REG_DWORD -Value: 0WN10-CC-000035<GroupDescription></GroupDescription>WN10-CC-000035The system must be configured to ignore NetBIOS name release requests except from WINS servers.<VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002385Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". - -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and " MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ - -Value Name: NoNameReleaseOnDemand - -Value Type: REG_DWORD -Value: 1WN10-CC-000040<GroupDescription></GroupDescription>WN10-CC-000040Insecure logons to an SMB server must be disabled.<VulnDiscussion>Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled".Windows 10 v1507 LTSB version does not include this setting; it is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ - -Value Name: AllowInsecureGuestAuth - -Type: REG_DWORD -Value: 0x00000000 (0)WN10-CC-000050<GroupDescription></GroupDescription>WN10-CC-000050Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.<VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in Hardened UNC paths before allowing access them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths:" (click the "Show" button to display). - -Value Name: \\*\SYSVOL -Value: RequireMutualAuthentication=1, RequireIntegrity=1 - -Value Name: \\*\NETLOGON -Value: RequireMutualAuthentication=1, RequireIntegrity=1This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -If the following registry values do not exist or are not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ - -Value Name: \\*\NETLOGON -Value Type: REG_SZ -Value: RequireMutualAuthentication=1, RequireIntegrity=1 - -Value Name: \\*\SYSVOL -Value Type: REG_SZ -Value: RequireMutualAuthentication=1, RequireIntegrity=1 - -Additional entries would not be a finding.WN10-PK-000005<GroupDescription></GroupDescription>WN10-PK-000005The DoD Root CA certificates must be installed in the Trusted Root Store.<VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000185CCI-002470Install the DoD Root CA certificates. -DoD Root CA 2 -DoD Root CA 3 -DoD Root CA 4 -DoD Root CA 5 - -The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. - -The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter - -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. - -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 -NotAfter: 12/5/2029 - -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB -NotAfter: 12/30/2029 - -Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 -NotAfter: 7/25/2032 - -Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B -NotAfter: 6/14/2041 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". - -For each of the DoD Root CA certificates noted below: - -Right-click on the certificate and select "Open". - -Select the "Details" Tab. - -Scroll to the bottom and select "Thumbprint". - -If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -DoD Root CA 2 -Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 -Valid to: Wednesday, December 5, 2029 - -DoD Root CA 3 -Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB -Valid to: Sunday, December 30, 2029 - -DoD Root CA 4 -Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 -Valid to: Sunday, July 25, 2032 - -DoD Root CA 5 -Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B -Valid to: Friday, June 14, 2041WN10-CC-000055<GroupDescription></GroupDescription>WN10-CC-000055Simultaneous connections to the Internet or a Windows domain must be limited.<VulnDiscussion>Multiple network connections can provide additional attack vectors to a system and must be limited. The "Minimize the number of simultaneous connections to the Internet or a Windows Domain" setting prevents systems from automatically establishing multiple connections. When both wired and wireless connections are available, for example, the less preferred connection (typically wireless) will be disconnected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366The default behavior for "Minimize the number of simultaneous connections to the Internet or a Windows Domain" is "Enabled". - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Windows Connection Manager >> "Minimize the number of simultaneous connections to the Internet or a Windows Domain" to "Enabled".The default behavior for "Minimize the number of simultaneous connections to the Internet or a Windows Domain" is "Enabled". - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "1", this is not a finding. - -If it exists and is configured with a value of "0", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\ - -Value Name: fMinimizeConnections - -Value Type: REG_DWORD -Value: 1 (or if the Value Name does not exist)WN10-PK-000010<GroupDescription></GroupDescription>WN10-PK-000010The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.<VulnDiscussion>To ensure secure websites protected with External Certificate Authority (ECA) server certificates are properly validated, the system must trust the ECA Root CAs. The ECA root certificates will ensure the trust chain is established for server certificates issued from the External CAs. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000185Install the ECA Root CA certificates on unclassified systems. -ECA Root CA 2 -ECA Root CA 4 - -The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the ECA Root CA certificates are installed on unclassified systems as Trusted Root Certification Authorities. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*ECA*" | FL Subject, Thumbprint, NotAfter - -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. - -Subject: CN=ECA Root CA 2, OU=ECA, O=U.S. Government, C=US -Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4 -NotAfter: 3/30/2028 - -Subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US -Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 -NotAfter: 12/30/2029 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". - -For each of the ECA Root CA certificates noted below: - -Right-click on the certificate and select "Open". - -Select the "Details" Tab. - -Scroll to the bottom and select "Thumbprint". - -If the ECA Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -ECA Root CA 2 -Thumbprint: C313F919A6ED4E0E8451AFA930FB419A20F181E4 -Valid to: Thursday, March 30, 2028 - -ECA Root CA 4 -Thumbprint: 73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582 -Valid to: Sunday, December 30, 2029WN10-CC-000060<GroupDescription></GroupDescription>WN10-CC-000060Connections to non-domain networks when connected to a domain authenticated network must be blocked.<VulnDiscussion>Multiple network connections can provide additional attack vectors to a system and should be limited. When connected to a domain, communication must go through the domain connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Windows Connection Manager >> "Prohibit connection to non-domain networks when connected to domain authenticated network" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\ - -Value Name: fBlockNonDomain - -Value Type: REG_DWORD -Value: 1WN10-PK-000015<GroupDescription></GroupDescription>WN10-PK-000015The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000185CCI-002470Install the DoD Interoperability Root CA cross-certificates on unclassified systems. - -Issued To - Issued By - Thumbprint -DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F -DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 - -The certificates can be installed using the InstallRoot tool. The tool and user guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is found, this is a finding. - -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -NotAfter: 9/6/2019 - -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 -NotAfter: 1/22/2022 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". - -For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" Tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -Issued To: DoD Root CA 2 -Issued By: DoD Interoperability Root CA 1 -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -Valid to: Friday, September 6, 2019 - -Issued To: DoD Root CA 3 -Issued By: DoD Interoperability Root CA 2 -Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 -Valid to: Saturday, January 22, 2022WN10-PK-000020<GroupDescription></GroupDescription>WN10-PK-000020The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000185CCI-002470Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. - -Issued To - Issued By - Thumbprint -DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E - -The certificates can be installed using the InstallRoot tool. The tool and user guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is found, this is a finding. - -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -NotAfter: 9/27/2019 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". - -For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -Issued To: DoD Root CA 3 -Issuer by: US DoD CCEB Interoperability Root CA 2 -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -Valid: Friday, September 27, 2019WN10-CC-000065<GroupDescription></GroupDescription>WN10-CC-000065Wi-Fi Sense must be disabled.<VulnDiscussion>Wi-Fi Sense automatically connects the system to known hotspots and networks that contacts have shared. It also allows the sharing of the system's known networks to contacts. Automatically connecting to hotspots and shared networks can expose a system to unsecured or potentially malicious systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> WLAN Service >> WLAN Settings>> "Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services" to "Disabled". - -v1507 LTSB does not include this group policy setting. It may be configured through other means such as using group policy from a later version of Windows 10 or a registry update.This is NA as of v1803 of Windows 10; Wi-Fi sense is no longer available. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\ - -Value Name: AutoConnectAllowedOEM - -Type: REG_DWORD -Value: 0x00000000 (0)WN10-RG-000005<GroupDescription></GroupDescription>WN10-RG-000005Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. - -The default permissions of the higher level keys are noted below. - -HKEY_LOCAL_MACHINE\SECURITY -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -SYSTEM - Full Control - This key and subkeys -Administrators - Special - This key and subkeys - -HKEY_LOCAL_MACHINE\SOFTWARE -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - This key and subkeys -ALL APPLICATION PACKAGES - Read - This key and subkeys - -HKEY_LOCAL_MACHINE\SYSTEM -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - This key and subkeys -ALL APPLICATION PACKAGES - Read - This key and subkeys - -Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry keys in later versions of Windows 10 to the following SID. - -S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681Verify the default registry permissions for the keys note below of the HKEY_LOCAL_MACHINE hive. - -If any non-privileged groups such as Everyone, Users or Authenticated Users have greater than Read permission, this is a finding. - -Run "Regedit". -Right click on the registry areas noted below. -Select "Permissions..." and the "Advanced" button. - -HKEY_LOCAL_MACHINE\SECURITY -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -SYSTEM - Full Control - This key and subkeys -Administrators - Special - This key and subkeys - -HKEY_LOCAL_MACHINE\SOFTWARE -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - This key and subkeys -ALL APPLICATION PACKAGES - Read - This key and subkeys - -HKEY_LOCAL_MACHINE\SYSTEM -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - This key and subkeys -ALL APPLICATION PACKAGES - Read - This key and subkeys - -Other subkeys under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. - -Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in later versions of Windows 10 to the following SID, this is currently not a finding. - -S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 - -If the defaults have not been changed, these are not a finding.WN10-CC-000070<GroupDescription></GroupDescription>WN10-CC-000070Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.<VulnDiscussion>Virtualization Based Security (VBS) provides the platform for the additional security features, Credential Guard and Virtualization based protection of code integrity. Secure Boot is the minimum security level with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. - -For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected for "Select Platform Security Level:". - -A Microsoft article on Credential Guard system requirement can be found at the following link. -https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirementsConfirm Virtualization Based Security is enabled and running with Secure Boot or Secure Boot and DMA Protection. - -For those devices that support virtualization based security (VBS) features, including Credential Guard or protection of code integrity, this must be enabled. If the system meets the hardware and firmware dependencies for enabling VBS but it is not enabled, this is a CAT III finding. - -Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. - -For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Run "PowerShell" with elevated privileges (run as administrator). - -Enter the following: - -"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" - -If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. - -If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). - -If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. - -Alternately: - -Run "System Information". - -Under "System Summary", verify the following: - -If "Device Guard Virtualization based security" does not display "Running", this is finding. - -If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is finding. - -If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). - -The policy settings referenced in the Fix section will configure the following registry values. However due to hardware requirements, the registry values alone do not ensure proper function. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ - -Value Name: EnableVirtualizationBasedSecurity -Value Type: REG_DWORD -Value: 1 - -Value Name: RequirePlatformSecurityFeatures -Value Type: REG_DWORD -Value: 1 (Secure Boot only) or 3 (Secure Boot and DMA Protection) - -A Microsoft article on Credential Guard system requirement can be found at the following link: - -https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard-requirements - -NOTE: The severity level for the requirement will be upgraded to CAT II starting January 2020.WN10-CC-000037<GroupDescription></GroupDescription>WN10-CC-000037Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.<VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. - -With User Account Control enabled, filtering the privileged token for built-in administrator accounts will prevent the elevated privileges of these accounts from being used over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the system is not a member of a domain, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LocalAccountTokenFilterPolicy - -Value Type: REG_DWORD -Value: 0x00000000 (0)WN10-CC-000075<GroupDescription></GroupDescription>WN10-CC-000075Credential Guard must be running on Windows 10 domain-joined systems.<VulnDiscussion>Credential Guard uses virtualization based security to protect information that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. - -For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations. - -Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:". - -v1507 LTSB does not include selection options; select "Enable Credential Guard". - -A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: - -https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guardConfirm Credential Guard is running on domain-joined systems. - -For those devices that support Credential Guard, this feature must be enabled. Organizations need to take the appropriate action to acquire and implement compatible hardware with Credential Guard enabled. - -Virtualization based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop. - -For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Run "PowerShell" with elevated privileges (run as administrator). -Enter the following: -"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" - -If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. - -Alternately: - -Run "System Information". -Under "System Summary", verify the following: -If "Device Guard Security Services Running" does not list "Credential Guard", this is finding. - -The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ - -Value Name: LsaCfgFlags -Value Type: REG_DWORD -Value: 0x00000001 (1) (Enabled with UEFI lock) - -WN10-SO-000005<GroupDescription></GroupDescription>WN10-SO-000005The built-in administrator account must be disabled.<VulnDiscussion>The built-in administrator account is a well-known account subject to attack. It also provides no accountability to individual administrators on a system. It must be disabled to prevent its use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000764Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Administrator account status" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Accounts: Administrator account status" is not set to "Disabled", this is a finding.WN10-CC-000085<GroupDescription></GroupDescription>WN10-CC-000085Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.<VulnDiscussion>By being launched first by the kernel, ELAM ( Early Launch Antimalware) is ensured to be launched before any third-party software, and is therefore able to detect malware in the boot process and prevent it from initializing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure that Early Launch Antimalware - Boot-Start Driver Initialization policy is set to enforce "Good, unknown and bad but critical" (preventing "bad"). - -If this needs to be corrected configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Enabled” with "Good, unknown and bad but critical" selected.The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy is to enforce "Good, unknown and bad but critical" (preventing "bad"). - -If the registry value name below does not exist, this a finding. - -If it exists and is configured with a value of "7", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ - -Value Name: DriverLoadPolicy - -Value Type: REG_DWORD -Value: 1, 3, or 8 - -Possible values for this setting are: -8 - Good only -1 - Good and unknown -3 - Good, unknown and bad but critical -7 - All (which includes "Bad" and would be a finding) -WN10-CC-000090<GroupDescription></GroupDescription>WN10-CC-000090Group Policy objects must be reprocessed even if they have not changed.<VulnDiscussion>Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" and select the option "Process even if the Group Policy objects have not changed".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} - -Value Name: NoGPOListChanges - -Value Type: REG_DWORD -Value: 0WN10-SO-000010<GroupDescription></GroupDescription>WN10-SO-000010The built-in guest account must be disabled.<VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000804Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.WN10-CC-000100<GroupDescription></GroupDescription>WN10-CC-000100Downloading print driver packages over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ - -Value Name: DisableWebPnPDownload - -Value Type: REG_DWORD -Value: 1WN10-SO-000015<GroupDescription></GroupDescription>WN10-SO-000015Local accounts with blank passwords must be restricted to prevent access from the network.<VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password did exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: LimitBlankPasswordUse - -Value Type: REG_DWORD -Value: 1WN10-SO-000020<GroupDescription></GroupDescription>WN10-SO-000020The built-in administrator account must be renamed.<VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Accounts: Rename administrator account" is set to "Administrator", this is a finding.WN10-CC-000105<GroupDescription></GroupDescription>WN10-CC-000105Web publishing and online ordering wizards must be prevented from downloading a list of providers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents Windows from downloading a list of providers for the Web publishing and online ordering wizards.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off Internet download for Web publishing and online ordering wizards" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: NoWebServices - -Value Type: REG_DWORD -Value: 1WN10-CC-000110<GroupDescription></GroupDescription>WN10-CC-000110Printing over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ - -Value Name: DisableHTTPPrinting - -Value Type: REG_DWORD -Value: 1WN10-SO-000025<GroupDescription></GroupDescription>WN10-SO-000025The built-in guest account must be renamed.<VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Accounts: Rename guest account" is set to "Guest", this is a finding.WN10-CC-000115<GroupDescription></GroupDescription>WN10-CC-000115Systems must at least attempt device authentication using certificates.<VulnDiscussion>Using certificates to authenticate devices to the domain provides increased security over passwords. By default systems will attempt to authenticate using certificates and fall back to passwords if the domain controller does not support certificates for devices. This may also be configured to always use certificates for device authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -The default behavior for "Support device authentication using certificate" is "Automatic". - -If this needs to be corrected, configured the policy value for Computer Configuration >> Administrative Templates >> System >> Kerberos >> "Support device authentication using certificate" to "Not Configured or "Enabled" with either option selected in "Device authentication behavior using certificate:".This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -The default behavior for "Support device authentication using certificate" is "Automatic". - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "1", this is not a finding. - -If it exists and is configured with a value of "0", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ - -Value Name: DevicePKInitEnabled -Value Type: REG_DWORD -Value: 1 (or if the Value Name does not exist)WN10-CC-000120<GroupDescription></GroupDescription>WN10-CC-000120The network selection user interface (UI) must not be displayed on the logon screen.<VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing into Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: DontDisplayNetworkSelectionUI - -Value Type: REG_DWORD -Value: 1WN10-CC-000130<GroupDescription></GroupDescription>WN10-CC-000130Local users on domain-joined computers must not be enumerated.<VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Enumerate local users on domain-joined computers" to "Disabled".This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: EnumerateLocalUsers - -Value Type: REG_DWORD -Value: 0WN10-SO-000030<GroupDescription></GroupDescription>WN10-SO-000030Audit policy using subcategories must be enabled.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000169Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: SCENoApplyLegacyAuditPolicy - -Value Type: REG_DWORD -Value: 1WN10-SO-000035<GroupDescription></GroupDescription>WN10-SO-000035Outgoing secure channel traffic must be encrypted or signed.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: RequireSignOrSeal - -Value Type: REG_DWORD -Value: 1WN10-SO-000040<GroupDescription></GroupDescription>WN10-SO-000040Outgoing secure channel traffic must be encrypted when possible.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: SealSecureChannel - -Value Type: REG_DWORD -Value: 1WN10-CC-000145<GroupDescription></GroupDescription>WN10-CC-000145Users must be prompted for a password on resume from sleep (on battery).<VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ - -Value Name: DCSettingIndex - -Value Type: REG_DWORD -Value: 1WN10-SO-000045<GroupDescription></GroupDescription>WN10-SO-000045Outgoing secure channel traffic must be signed when possible.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: SignSecureChannel - -Value Type: REG_DWORD -Value: 1WN10-CC-000150<GroupDescription></GroupDescription>WN10-CC-000150The user must be prompted for a password on resume from sleep (plugged in).<VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ - -Value Name: ACSettingIndex - -Value Type: REG_DWORD -Value: 1WN10-CC-000155<GroupDescription></GroupDescription>WN10-CC-000155Solicited Remote Assistance must not be allowed.<VulnDiscussion>Remote assistance allows another user to view or take control of the local session of a user. Solicited assistance is help that is specifically requested by the local user. This may allow unauthorized parties access to the resources on the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001090Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> "Configure Solicited Remote Assistance" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fAllowToGetHelp - -Value Type: REG_DWORD -Value: 0WN10-SO-000050<GroupDescription></GroupDescription>WN10-SO-000050The computer account password must not be prevented from being reset.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: DisablePasswordChange - -Value Type: REG_DWORD -Value: 0WN10-CC-000165<GroupDescription></GroupDescription>WN10-CC-000165Unauthenticated RPC clients must be restricted from connecting to the RPC server.<VulnDiscussion>Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001967Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> "Restrict Unauthenticated RPC clients" to "Enabled" and "Authenticated".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ - -Value Name: RestrictRemoteClients - -Value Type: REG_DWORD -Value: 1WN10-CC-000170<GroupDescription></GroupDescription>WN10-CC-000170The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.<VulnDiscussion>Control of credentials and the system must be maintained within the enterprise. Enabling this setting allows enterprise credentials to be used with modern style apps that support this, instead of Microsoft accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Runtime >> "Allow Microsoft accounts to be optional" to "Enabled".Windows 10 LTSC\B versions do not support the Microsoft Store and modern apps; this is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: MSAOptional - -Value Type: REG_DWORD -Value: 0x00000001 (1)WN10-SO-000055<GroupDescription></GroupDescription>WN10-SO-000055The maximum age for machine account passwords must be configured to 30 days or less.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This setting must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366This is the default configuration for this setting (30 days). - -Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding 0 which is unacceptable).This is the default configuration for this setting (30 days). - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: MaximumPasswordAge - -Value Type: REG_DWORD -Value: 0x0000001e (30) (or less, excluding 0)WN10-CC-000175<GroupDescription></GroupDescription>WN10-CC-000175The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ - -Value Name: DisableInventory - -Value Type: REG_DWORD -Value: 1WN10-SO-000060<GroupDescription></GroupDescription>WN10-SO-000060The system must be configured to require a strong session key.<VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. Requiring strong session keys enforces 128-bit encryption between systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: RequireStrongKey - -Value Type: REG_DWORD -Value: 1 - -Warning: This setting may prevent a system from being joined to a domain if not configured consistently between systems.WN10-CC-000180<GroupDescription></GroupDescription>WN10-CC-000180Autoplay must be turned off for non-volume devices.<VulnDiscussion>Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable autoplay for non-volume devices (such as Media Transfer Protocol (MTP) devices).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001764Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoAutoplayfornonVolume - -Value Type: REG_DWORD -Value: 1WN10-SO-000070<GroupDescription></GroupDescription>WN10-SO-000070The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000057Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds" or less, excluding "0" which is effectively disabled.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: InactivityTimeoutSecs - -Value Type: REG_DWORD -Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)WN10-CC-000185<GroupDescription></GroupDescription>WN10-CC-000185The default autorun behavior must be configured to prevent autorun commands.<VulnDiscussion>Allowing autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents autorun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001764Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled:Do not execute any autorun commands".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: NoAutorun - -Value Type: REG_DWORD -Value: 1WN10-CC-000190<GroupDescription></GroupDescription>WN10-CC-000190Autoplay must be disabled for all drives.<VulnDiscussion>Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or music on audio media may start. By default, autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. If you enable this policy, you can also disable autoplay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001764Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled:All Drives".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ - -Value Name: NoDriveTypeAutoRun - -Value Type: REG_DWORD -Value: 0x000000ff (255) - -Note: If the value for NoDriveTypeAutorun is entered manually, it must be entered as "ff" when Hexadecimal is selected, or "255" with Decimal selected. Using the policy value specified in the Fix section will enter it correctly.WN10-SO-000075<GroupDescription></GroupDescription>WN10-SO-000075The required legal notice must be configured to display before console logon.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Message text for users attempting to log on" to the following. - -You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LegalNoticeText - -Value Type: REG_SZ -Value: -You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.WN10-CC-000195<GroupDescription></GroupDescription>WN10-CC-000195Enhanced anti-spoofing for facial recognition must be enabled on Window 10.<VulnDiscussion>Enhanced anti-spoofing provides additional protections when using facial recognition with devices that support it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Biometrics >> Facial Features >> "Configure enhanced anti-spoofing" to "Enabled". - -v1607: -The policy name is "Use enhanced anti-spoofing when available".Windows 10 v1507 LTSB version does not include this setting; it is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\ - -Value Name: EnhancedAntiSpoofing - -Value Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000200<GroupDescription></GroupDescription>WN10-CC-000200Administrator accounts must not be enumerated during elevation.<VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ - -Value Name: EnumerateAdministrators - -Value Type: REG_DWORD -Value: 0WN10-SO-000080<GroupDescription></GroupDescription>WN10-SO-000080The Windows dialog box title for the legal banner must be configured.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. - -If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in WN10-SO-000075.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LegalNoticeCaption - -Value Type: REG_SZ -Value: See message title above - -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement" or a site-defined equivalent, this is a finding. - -If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in WN10-SO-000075.WN10-CC-000205<GroupDescription></GroupDescription>WN10-CC-000205Windows Telemetry must not be configured to Full.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services. "Enhanced" includes additional information on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices. This requires the configuration of an additional setting available with v1709 and later of Windows 10. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds >> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options:". - -If an organization is using v1709 or later of Windows 10 this may be configured to "2 - Enhanced" to support Windows Analytics. V-82145 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ - -Value Name: AllowTelemetry - -Type: REG_DWORD -Value: 0x00000000 (0) (Security) -0x00000001 (1) (Basic) - -If an organization is using v1709 or later of Windows 10 this may be configured to "Enhanced" to support Windows Analytics. V-82145 must also be configured to limit the Enhanced diagnostic data to the minimum required by Windows Analytics. This registry value will then be 0x00000002 (2).WN10-CC-000210<GroupDescription></GroupDescription>WN10-CC-000210The Windows Defender SmartScreen for Explorer must be enabled.<VulnDiscussion>Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling Windows Defender SmartScreen will warn or prevent users from running potentially malicious programs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows Defender SmartScreen" to "Enabled" with "Warn and prevent bypass" selected. - -Windows 10 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer. - -v1607 LTSB: -Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled". (Selection options are not available.) - -v1507 LTSB: -Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled" with "Require approval from an administrator before running downloaded unknown software" selected.This is applicable to unclassified systems, for other systems this is NA. - -If the following registry values do not exist or are not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: EnableSmartScreen - -Value Type: REG_DWORD -Value: 0x00000001 (1) - -And - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: ShellSmartScreenLevel - -Value Type: REG_SZ -Value: Block - -v1607 LTSB: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: EnableSmartScreen - -Value Type: REG_DWORD -Value: 0x00000001 (1) - -v1507 LTSB: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: EnableSmartScreen - -Value Type: REG_DWORD -Value: 0x00000002 (2)WN10-SO-000085<GroupDescription></GroupDescription>WN10-SO-000085Caching of logon credentials must be limited.<VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well-protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366This is the default configuration for this setting (10 logons to cache). - -Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to "10" logons or less. - -This setting only applies to domain-joined systems, however, it is configured by default on all systems.This is the default configuration for this setting (10 logons to cache). - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: CachedLogonsCount - -Value Type: REG_SZ -Value: 10 (or less) - -This setting only applies to domain-joined systems, however, it is configured by default on all systems.WN10-CC-000215<GroupDescription></GroupDescription>WN10-CC-000215Explorer Data Execution Prevention must be enabled.<VulnDiscussion>Data Execution Prevention (DEP) provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002824The default behavior is for data execution prevention to be turned on for file explorer. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled".The default behavior is for data execution prevention to be turned on for file explorer. - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "0", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoDataExecutionPrevention - -Value Type: REG_DWORD -Value: 0 (or if the Value Name does not exist)WN10-CC-000220<GroupDescription></GroupDescription>WN10-CC-000220Turning off File Explorer heap termination on corruption must be disabled.<VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002385The default behavior is for File Explorer heap termination on corruption to be enabled. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled".The default behavior is for File Explorer heap termination on corruption to be enabled. - -If the registry Value Name below does not exist, this is not a finding. - -If it exists and is configured with a value of "0", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoHeapTerminationOnCorruption - -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist)WN10-CC-000225<GroupDescription></GroupDescription>WN10-CC-000225File Explorer shell protocol must run in protected mode.<VulnDiscussion>The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open, to a limited set of folders, increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366The default behavior is for shell protected mode to be turned on for file explorer. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".The default behavior is for shell protected mode to be turned on for file explorer. - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "0", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: PreXPSP2ShellProtocolBehavior - -Value Type: REG_DWORD -Value: 0 (or if the Value Name does not exist)WN10-SO-000095<GroupDescription></GroupDescription>WN10-SO-000095The Smart Card removal option must be configured to Force Logoff or Lock Workstation.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: SCRemoveOption - -Value Type: REG_SZ -Value: 1 (Lock Workstation) or 2 (Force Logoff) - -This can be left not configured or set to "No action" on workstations with the following conditions. This must be documented with the ISSO. --The setting cannot be configured due to mission needs, or because it interferes with applications. --Policy must be in place that users manually lock workstations when leaving them unattended. --The screen saver is properly configured to lock as required.WN10-CC-000230<GroupDescription></GroupDescription>WN10-CC-000230Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.<VulnDiscussion>The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. If users are allowed to ignore warnings from the Windows Defender SmartScreen filter they could still access malicious websites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Edge >> "Prevent bypassing Windows Defender SmartScreen prompts for sites" to "Enabled". - -Windows 10 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Microsoft Edge.This is applicable to unclassified systems, for other systems this is NA. - -Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\ - -Value Name: PreventOverride - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000235<GroupDescription></GroupDescription>WN10-CC-000235Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.<VulnDiscussion>The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. If users are allowed to ignore warnings from the Windows Defender SmartScreen filter they could still download potentially malicious files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Edge >> "Prevent bypassing Windows Defender SmartScreen prompts for files" to "Enabled". - -Windows 10 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Microsoft Edge.This is applicable to unclassified systems, for other systems this is NA. - -Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\ - -Value Name: PreventOverrideAppRepUnknown - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-SO-000100<GroupDescription></GroupDescription>WN10-SO-000100The Windows SMB client must be configured to always perform SMB packet signing.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ - -Value Name: RequireSecuritySignature - -Value Type: REG_DWORD -Value: 1WN10-CC-000245<GroupDescription></GroupDescription>WN10-CC-000245The password manager function in the Edge browser must be disabled.<VulnDiscussion>Passwords save locally for re-use when browsing may be subject to compromise. Disabling the Edge password manager will prevent this for the browser.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Edge >> "Configure Password Manager" to "Disabled".Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\ - -Value Name: FormSuggest Passwords - -Type: REG_SZ -Value: noWN10-SO-000110<GroupDescription></GroupDescription>WN10-SO-000110Unencrypted passwords must not be sent to third-party SMB Servers.<VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the vendor of the SMB server to see if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000197Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Send unencrypted password to third-party SMB servers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ - -Value Name: EnablePlainTextPassword - -Value Type: REG_DWORD -Value: 0WN10-CC-000250<GroupDescription></GroupDescription>WN10-CC-000250The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.<VulnDiscussion>The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Edge >> "Configure Windows Defender SmartScreen" to "Enabled". - -Windows 10 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Microsoft Edge.This is applicable to unclassified systems, for other systems this is NA. - -Windows 10 LTSC\B versions do not include Microsoft Edge, this is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter\ - -Value Name: EnabledV9 - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000255<GroupDescription></GroupDescription>WN10-CC-000255The use of a hardware security device with Windows Hello for Business must be enabled.<VulnDiscussion>The use of a Trusted Platform Module (TPM) to store keys for Windows Hello for Business provides additional security. Keys stored in the TPM may only be used on that system while keys stored using software are more susceptible to compromise and could be used on other systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Hello for Business >> "Use a hardware security device" to "Enabled". - -v1507 LTSB: -The policy path is Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Passport for Work.Virtual desktop implementations currently may not support the use of TPMs. For virtual desktop implementations where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\PassportForWork\ - -Value Name: RequireSecurityDevice - -Type: REG_DWORD -Value: 1WN10-SO-000120<GroupDescription></GroupDescription>WN10-SO-000120The Windows SMB server must be configured to always perform SMB packet signing.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: RequireSecuritySignature - -Value Type: REG_DWORD -Value: 1WN10-CC-000260<GroupDescription></GroupDescription>WN10-CC-000260Windows 10 must be configured to require a minimum pin length of six characters or greater.<VulnDiscussion>Windows allows the use of PINs as well as biometrics for authentication without sending a password to a network or website where it could be compromised. Longer minimum PIN lengths increase the available combinations an attacker would have to attempt. Shorter minimum length significantly reduces the strength.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> PIN Complexity >> "Minimum PIN length" to "6" or greater. - -v1607 LTSB: -The policy path is Computer Configuration >> Administrative Templates >> Windows Components >> Windows Hello for Business >> Pin Complexity. - -v1507 LTSB: -The policy path is Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Passport for Work >> Pin Complexity.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\ - -Value Name: MinimumPINLength - -Type: REG_DWORD -Value: 6 (or greater)WN10-CC-000270<GroupDescription></GroupDescription>WN10-CC-000270Passwords must not be saved in the Remote Desktop Client.<VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: DisablePasswordSaving - -Value Type: REG_DWORD -Value: 1WN10-CC-000275<GroupDescription></GroupDescription>WN10-CC-000275Local drives must be prevented from sharing with Remote Desktop Session Hosts.<VulnDiscussion>Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001090Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fDisableCdm - -Value Type: REG_DWORD -Value: 1WN10-CC-000280<GroupDescription></GroupDescription>WN10-CC-000280Remote Desktop Services must always prompt a client for passwords upon connection.<VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fPromptForPassword - -Value Type: REG_DWORD -Value: 1WN10-CC-000285<GroupDescription></GroupDescription>WN10-CC-000285The Remote Desktop Session Host must require secure RPC communications.<VulnDiscussion>Allowing unsecure RPC communication exposes the system to man in the middle attacks and data disclosure attacks. A man in the middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001453Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security "Require secure RPC communication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fEncryptRPCTraffic - -Value Type: REG_DWORD -Value: 1WN10-SO-000140<GroupDescription></GroupDescription>WN10-SO-000140Anonymous SID/Name translation must not be allowed.<VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.WN10-CC-000290<GroupDescription></GroupDescription>WN10-CC-000290Remote Desktop Services must be configured with the client connection encryption set to the required level.<VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000068CCI-002890Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" and "High Level".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: MinEncryptionLevel - -Value Type: REG_DWORD -Value: 3WN10-CC-000295<GroupDescription></GroupDescription>WN10-CC-000295Attachments must be prevented from being downloaded from RSS feeds.<VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ - -Value Name: DisableEnclosureDownload - -Value Type: REG_DWORD -Value: 1WN10-SO-000145<GroupDescription></GroupDescription>WN10-SO-000145Anonymous enumeration of SAM accounts must not be allowed.<VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: RestrictAnonymousSAM - -Value Type: REG_DWORD -Value: 1WN10-CC-000300<GroupDescription></GroupDescription>WN10-CC-000300Basic authentication for RSS feeds over HTTP must not be used.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled".The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "0", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ - -Value Name: AllowBasicAuthInClear - -Value Type: REG_DWORD -Value: 0 (or if the Value Name does not exist)WN10-SO-000150<GroupDescription></GroupDescription>WN10-SO-000150Anonymous enumeration of shares must be restricted.<VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001090Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: RestrictAnonymous - -Value Type: REG_DWORD -Value: 1WN10-CC-000305<GroupDescription></GroupDescription>WN10-CC-000305Indexing of encrypted files must be turned off.<VulnDiscussion>Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ - -Value Name: AllowIndexingEncryptedStoresOrItems - -Value Type: REG_DWORD -Value: 0WN10-SO-000160<GroupDescription></GroupDescription>WN10-SO-000160The system must be configured to prevent anonymous users from having the same rights as the Everyone group.<VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let Everyone permissions apply to anonymous users" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: EveryoneIncludesAnonymous - -Value Type: REG_DWORD -Value: 0WN10-SO-000165<GroupDescription></GroupDescription>WN10-SO-000165Anonymous access to Named Pipes and Shares must be restricted.<VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001090Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: RestrictNullSessAccess - -Value Type: REG_DWORD -Value: 1WN10-SO-000180<GroupDescription></GroupDescription>WN10-SO-000180NTLM must be prevented from falling back to a Null session.<VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ - -Value Name: allownullsessionfallback - -Value Type: REG_DWORD -Value: 0WN10-SO-000185<GroupDescription></GroupDescription>WN10-SO-000185PKU2U authentication using online identities must be prevented.<VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ - -Value Name: AllowOnlineID - -Value Type: REG_DWORD -Value: 0WN10-SO-000190<GroupDescription></GroupDescription>WN10-SO-000190Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.<VulnDiscussion>Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES and RC4 encryption suites.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000803Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: - -AES128_HMAC_SHA1 -AES256_HMAC_SHA1 -Future encryption typesIf the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ - -Value Name: SupportedEncryptionTypes - -Value Type: REG_DWORD -Value: 0x7ffffff8 (2147483640)WN10-SO-000195<GroupDescription></GroupDescription>WN10-SO-000195The system must be configured to prevent the storage of the LAN Manager hash of passwords.<VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000196Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: NoLMHash - -Value Type: REG_DWORD -Value: 1WN10-SO-000205<GroupDescription></GroupDescription>WN10-SO-000205The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.<VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to stand-alone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: LmCompatibilityLevel - -Value Type: REG_DWORD -Value: 5WN10-SO-000210<GroupDescription></GroupDescription>WN10-SO-000210The system must be configured to the required LDAP client signing level.<VulnDiscussion>This setting controls the signing requirements for LDAP clients. This setting must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ - -Value Name: LDAPClientIntegrity - -Value Type: REG_DWORD -Value: 1WN10-SO-000215<GroupDescription></GroupDescription>WN10-SO-000215The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ - -Value Name: NTLMMinClientSec - -Value Type: REG_DWORD -Value: 0x20080000 (537395200)WN10-SO-000220<GroupDescription></GroupDescription>WN10-SO-000220The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ - -Value Name: NTLMMinServerSec - -Value Type: REG_DWORD -Value: 0x20080000 (537395200)WN10-SO-000230<GroupDescription></GroupDescription>WN10-SO-000230The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.<VulnDiscussion>This setting ensures that the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002450Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ - -Value Name: Enabled - -Value Type: REG_DWORD -Value: 1 - -Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS otherwise the browser will not be able to connect to a secure site.WN10-SO-000240<GroupDescription></GroupDescription>WN10-SO-000240The default permissions of global system objects must be increased.<VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ - -Value Name: ProtectionMode - -Value Type: REG_DWORD -Value: 1WN10-SO-000245<GroupDescription></GroupDescription>WN10-SO-000245User Account Control approval mode for the built-in Administrator must be enabled.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: FilterAdministratorToken - -Value Type: REG_DWORD -Value: 1WN10-SO-000250<GroupDescription></GroupDescription>WN10-SO-000250User Account Control must, at minimum, prompt administrators for consent on the secure desktop.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: ConsentPromptBehaviorAdmin - -Value Type: REG_DWORD -Value: 2 (Prompt for consent on the secure desktop)WN10-SO-000255<GroupDescription></GroupDescription>WN10-SO-000255User Account Control must automatically deny elevation requests for standard users.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Denying elevation requests from standard user accounts requires tasks that need elevation to be initiated by accounts with administrative privileges. This ensures correct accounts are used on the system for privileged tasks to help mitigate credential theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: ConsentPromptBehaviorUser - -Value Type: REG_DWORD -Value: 0WN10-SO-000260<GroupDescription></GroupDescription>WN10-SO-000260User Account Control must be configured to detect application installations and prompt for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableInstallerDetection - -Value Type: REG_DWORD -Value: 1WN10-SO-000265<GroupDescription></GroupDescription>WN10-SO-000265User Account Control must only elevate UIAccess applications that are installed in secure locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableSecureUIAPaths - -Value Type: REG_DWORD -Value: 1WN10-SO-000270<GroupDescription></GroupDescription>WN10-SO-000270User Account Control must run all administrators in Admin Approval Mode, enabling UAC.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002038Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableLUA - -Value Type: REG_DWORD -Value: 1WN10-SO-000275<GroupDescription></GroupDescription>WN10-SO-000275User Account Control must virtualize file and registry write failures to per-user locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableVirtualization - -Value Type: REG_DWORD -Value: 1WN10-UC-000015<GroupDescription></GroupDescription>WN10-UC-000015Toast notifications to the lock screen must be turned off.<VulnDiscussion>Toast notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for User Configuration >> Administrative Templates >> Start Menu and Taskbar >> Notifications >> "Turn off toast notifications on the lock screen" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ - -Value Name: NoToastApplicationNotificationOnLockScreen - -Value Type: REG_DWORD -Value: 1WN10-UC-000020<GroupDescription></GroupDescription>WN10-UC-000020Zone information must be preserved when saving attachments.<VulnDiscussion>Preserving zone of origin (internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366The default behavior is for Windows to mark file attachments with their zone information. - -If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled".The default behavior is for Windows to mark file attachments with their zone information. - -If the registry Value Name below does not exist, this is not a finding. - -If it exists and is configured with a value of "2", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ - -Value Name: SaveZoneInformation - -Value Type: REG_DWORD -Value: 0x00000002 (2) (or if the Value Name does not exist)WN10-UR-000005<GroupDescription></GroupDescription>WN10-UR-000005The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.WN10-UR-000010<GroupDescription></GroupDescription>WN10-UR-000010The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Access this computer from the network" user right may access resources on the system, and must be limited to those that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to only include the following groups or accounts: - -Administrators -Remote Desktop UsersVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Access this computer from the network" user right, this is a finding: - -Administrators -Remote Desktop Users - -If a domain application account such as for a management tool requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account, managed at the domain level, must meet requirements for application account passwords, such as length and frequency of changes as defined in the Windows server STIGs.WN10-UR-000015<GroupDescription></GroupDescription>WN10-UR-000015The Act as part of the operating system user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding.WN10-UR-000025<GroupDescription></GroupDescription>WN10-UR-000025The Allow log on locally user right must only be assigned to the Administrators and Users groups.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following groups or accounts: - -Administrators -UsersVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Allow log on locally" user right, this is a finding: - -Administrators -UsersWN10-UR-000030<GroupDescription></GroupDescription>WN10-UR-000030The Back up files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Back up files and directories" user right, this is a finding: - -AdministratorsWN10-UR-000035<GroupDescription></GroupDescription>WN10-UR-000035The Change the system time user right must only be assigned to Administrators and Local Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Change the system time" user right can change the system time, which can impact authentication, as well as affect time stamps on event log entries.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Change the system time" to only include the following groups or accounts: - -Administrators -LOCAL SERVICEVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Change the system time" user right, this is a finding: - -Administrators -LOCAL SERVICEWN10-UR-000040<GroupDescription></GroupDescription>WN10-UR-000040The Create a pagefile user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Create a pagefile" user right, this is a finding: - -AdministratorsWN10-UR-000045<GroupDescription></GroupDescription>WN10-UR-000045The Create a token object user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts are granted the "Create a token object" user right, this is a finding.WN10-UR-000050<GroupDescription></GroupDescription>WN10-UR-000050The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to only include the following groups or accounts: - -Administrators -LOCAL SERVICE -NETWORK SERVICE -SERVICEVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Create global objects" user right, this is a finding: - -Administrators -LOCAL SERVICE -NETWORK SERVICE -SERVICEWN10-UR-000055<GroupDescription></GroupDescription>WN10-UR-000055The Create permanent shared objects user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts are granted the "Create permanent shared objects" user right, this is a finding.WN10-UR-000060<GroupDescription></GroupDescription>WN10-UR-000060The Create symbolic links user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Create symbolic links" user right can create pointers to other objects, which could potentially expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Create symbolic links" user right, this is a finding: - -Administrators - -If the workstation has an approved use of Hyper-V, such as being used as a dedicated admin workstation using Hyper-V to separate administration and standard user functions, "NT VIRTUAL MACHINES\VIRTUAL MACHINE" may be assigned this user right and is not a finding.WN10-UR-000065<GroupDescription></GroupDescription>WN10-UR-000065The Debug programs user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Debug Programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Debug Programs" user right, this is a finding: - -AdministratorsWN10-UR-000070<GroupDescription></GroupDescription>WN10-UR-000070The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny access to this computer from the network" right defines the accounts that are prevented from logging on from the network. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. - -Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following. - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -Local account (see Note below) - -All Systems: -Guests group - -Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) - -Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following groups or accounts are not defined for the "Deny access to this computer from the network" right, this is a finding: - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -Local account (see Note below) - -All Systems: -Guests group - -Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) - -Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.WN10-UR-000075<GroupDescription></GroupDescription>WN10-UR-000075The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Deny log on as a batch job" right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following. - -Domain Systems Only: -Enterprise Admin Group -Domain Admin GroupThis requirement is applicable to domain-joined systems, for standalone systems this is NA. - -Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following groups or accounts are not defined for the "Deny log on as a batch job" right, this is a finding: - -Domain Systems Only: -Enterprise Admin Group -Domain Admin GroupWN10-UR-000080<GroupDescription></GroupDescription>WN10-UR-000080The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Deny log on as a service" right defines accounts that are denied log on as a service. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. - -Incorrect configurations could prevent services from starting and result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213This requirement is applicable to domain-joined systems, for standalone systems this is NA. - -Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following. - -Domain Systems Only: -Enterprise Admins Group -Domain Admins GroupThis requirement is applicable to domain-joined systems, for standalone systems this is NA. - -Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following groups or accounts are not defined for the "Deny log on as a service" right , this is a finding: - -Domain Systems Only: -Enterprise Admins Group -Domain Admins GroupWN10-UR-000085<GroupDescription></GroupDescription>WN10-UR-000085The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on locally" right defines accounts that are prevented from logging on interactively. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following. - -Domain Systems Only: -Enterprise Admins Group -Domain Admins Group - -Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) - -All Systems: -Guests GroupVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following groups or accounts are not defined for the "Deny log on locally" right, this is a finding. - -Domain Systems Only: -Enterprise Admins Group -Domain Admins Group - -Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) - -All Systems: -Guests GroupWN10-UR-000090<GroupDescription></GroupDescription>WN10-UR-000090The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on through Remote Desktop Services" right defines the accounts that are prevented from logging on using Remote Desktop Services. - -If Remote Desktop Services is not used by the organization, the Everyone group must be assigned this right to prevent all access. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. - -Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000213CCI-002314Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following. - -If Remote Desktop Services is not used by the organization, assign the Everyone group this right to prevent all access. - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -Local account (see Note below) - -All Systems: -Guests group - -Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) - -Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following groups or accounts are not defined for the "Deny log on through Remote Desktop Services" right, this is a finding: - -If Remote Desktop Services is not used by the organization, the "Everyone" group can replace all of the groups listed below. - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -Local account (see Note below) - -All Systems: -Guests group - -Privileged Access Workstations (PAWs) dedicated to the management of Active Directory are exempt from denying the Enterprise Admins and Domain Admins groups. (See the Windows Privileged Access Workstation STIG for PAW requirements.) - -Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.WN10-UR-000095<GroupDescription></GroupDescription>WN10-UR-000095The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could potentially allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.WN10-UR-000100<GroupDescription></GroupDescription>WN10-UR-000100The Force shutdown from a remote system user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system which could result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: - -AdministratorsWN10-UR-000110<GroupDescription></GroupDescription>WN10-UR-000110The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Impersonate a client after authentication" user right allows a program to impersonate another user or account to run on their behalf. An attacker could potentially use this to elevate privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to only include the following groups or accounts: - -Administrators -LOCAL SERVICE -NETWORK SERVICE -SERVICEVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: - -Administrators -LOCAL SERVICE -NETWORK SERVICE -SERVICEWN10-UR-000120<GroupDescription></GroupDescription>WN10-UR-000120The Load and unload device drivers user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Load and unload device drivers" user right allows device drivers to dynamically be loaded on a system by a user. This could potentially be used to install malicious code by an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Load and unload device drivers" user right, this is a finding: - -AdministratorsWN10-UR-000125<GroupDescription></GroupDescription>WN10-UR-000125The Lock pages in memory user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts are granted the "Lock pages in memory" user right, this is a finding.WN10-UR-000130<GroupDescription></GroupDescription>WN10-UR-000130The Manage auditing and security log user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000162CCI-000163CCI-000164CCI-000171CCI-001914Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Manage auditing and security log" user right, this is a finding: - -Administrators - -If the organization has an "Auditors" group the assignment of this group to the user right would not be a finding.WN10-UR-000140<GroupDescription></GroupDescription>WN10-UR-000140The Modify firmware environment values user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Modify firmware environment values" user right can change hardware configuration environment variables. This could result in hardware failures or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Modify firmware environment values" user right, this is a finding: - -AdministratorsWN10-UR-000145<GroupDescription></GroupDescription>WN10-UR-000145The Perform volume maintenance tasks user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. They could potentially delete volumes, resulting in, data loss or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: - -AdministratorsWN10-UR-000150<GroupDescription></GroupDescription>WN10-UR-000150The Profile single process user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Profile single process" user right can monitor non-system processes performance. An attacker could potentially use this to identify processes to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Profile single process" user right, this is a finding: - -AdministratorsWN10-UR-000160<GroupDescription></GroupDescription>WN10-UR-000160The Restore files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to over-write more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Restore files and directories" user right, this is a finding: - -AdministratorsWN10-UR-000165<GroupDescription></GroupDescription>WN10-UR-000165The Take ownership of files or other objects user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. - -Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to only include the following groups or accounts: - -AdministratorsVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any groups or accounts other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: - -AdministratorsWN10-CC-000206<GroupDescription></GroupDescription>WN10-CC-000206Windows Update must not obtain updates from other PCs on the Internet.<VulnDiscussion>Windows 10 allows Windows Update to obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> "Download Mode" to "Enabled" with any option except "Internet" selected. - -Acceptable selections include: -Bypass (100) -Group (2) -HTTP only (0) -LAN (1) -Simple (99) - -v1507 (LTSB) does not include this group policy setting locally. For domain joined systems, configure through domain group policy as "HTTP only (0)" or "Lan (1)". Standalone systems configure using Settings >> Update & Security >> Windows Update >> Advanced Options >> "Choose how updates are delivered" with either "Off" or "PCs on my local network" selected.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ - -Value Name: DODownloadMode - -Value Type: REG_DWORD -Value: 0x00000000 (0) - No peering (HTTP Only) -0x00000001 (1) - Peers on same NAT only (LAN) -0x00000002 (2) - Local Network / Private group peering (Group) -0x00000063 (99) - Simple download mode, no peering (Simple) -0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass) - -A value of 0x00000003 (3), Internet, is a finding. - -v1507 LTSB: -Domain joined systems: -Verify the registry value above. -If the value is not 0x00000000 (0) or 0x00000001 (1), this is a finding. - -Standalone systems (configured in Settings): -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\ - -Value Name: DODownloadMode - -Value Type: REG_DWORD -Value: 0x00000000 (0) - Off -0x00000001 (1) - LANWN10-CC-000066<GroupDescription></GroupDescription>WN10-CC-000066Command line data must be included in process creation events.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ - -Value Name: ProcessCreationIncludeCmdLine_Enabled - -Value Type: REG_DWORD -Value: 1WN10-CC-000326<GroupDescription></GroupDescription>WN10-CC-000326PowerShell script block logging must be enabled on Windows 10.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ - -Value Name: EnableScriptBlockLogging - -Value Type: REG_DWORD -Value: 1WN10-00-000145<GroupDescription></GroupDescription>WN10-00-000145Data Execution Prevention (DEP) must be configured to at least OptOut.<VulnDiscussion>Attackers are constantly looking for vulnerabilities in systems and applications. Data Execution Prevention (DEP) prevents harmful code from running in protected memory locations reserved for Windows and other programs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002824Configure DEP to at least OptOut. - -Note: Suspend BitLocker before making changes to the DEP configuration. - -Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). -Enter "BCDEDIT /set {current} nx OptOut". (If using PowerShell "{current}" must be enclosed in quotes.) -"AlwaysOn", a more restrictive selection, is also valid but does not allow applications that do not function properly to be opted out of DEP. - -Opted out exceptions can be configured in the "System Properties". - -Open "System" in Control Panel. -Select "Advanced system settings". -Click "Settings" in the "Performance" section. -Select the "Data Execution Prevention" tab. -Applications that are opted out are configured in the window below the selection "Turn on DEP for all programs and services except those I select:".Verify the DEP configuration. -Open a command prompt (cmd.exe) or PowerShell with elevated privileges (Run as administrator). -Enter "BCDEdit /enum {current}". (If using PowerShell "{current}" must be enclosed in quotes.) -If the value for "nx" is not "OptOut", this is a finding. -(The more restrictive configuration of "AlwaysOn" would not be a finding.)WN10-00-000150<GroupDescription></GroupDescription>WN10-00-000150Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.<VulnDiscussion>Attackers are constantly looking for vulnerabilities in systems and applications. Structured Exception Handling Overwrite Protection (SEHOP) blocks exploits that use the Structured Exception Handling overwrite technique, a common buffer overflow attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002824Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Enable Structured Exception Handling Overwrite Protection (SEHOP)" to "Enabled". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.This is applicable to Windows 10 prior to v1709. - -Verify SEHOP is turned on. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ - -Value Name: DisableExceptionChainValidation - -Value Type: REG_DWORD -Value: 0x00000000 (0)WN10-00-000155<GroupDescription></GroupDescription>WN10-00-000155The Windows PowerShell 2.0 feature must be disabled on the system.<VulnDiscussion>Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Disable "Windows PowerShell 2.0" on the system. - -Run "Windows PowerShell" with elevated privileges (run as administrator). -Enter the following: -Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root - -This command should disable both "MicrosoftWindowsPowerShellV2Root" and "MicrosoftWindowsPowerShellV2" which correspond to "Windows PowerShell 2.0" and "Windows PowerShell 2.0 Engine" respectively in "Turn Windows features on or off". - -Alternately: -Search for "Features". -Select "Turn Windows features on or off". -De-select "Windows PowerShell 2.0".Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter the following: -Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2* - -If either of the following have a "State" of "Enabled", this is a finding. - -FeatureName : MicrosoftWindowsPowerShellV2 -State : Enabled -FeatureName : MicrosoftWindowsPowerShellV2Root -State : Enabled - -Alternately: -Search for "Features". - -Select "Turn Windows features on or off". - -If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding.WN10-00-000160<GroupDescription></GroupDescription>WN10-00-000160The Server Message Block (SMB) v1 protocol must be disabled on the system.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. - -Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older Network Attached Storage (NAS) devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Disable the SMBv1 protocol. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter the following: -Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol - -Alternately: -Search for "Features". - -Select "Turn Windows features on or off". - -De-select "SMB 1.0/CIFS File Sharing Support".Different methods are available to disable SMBv1 on Windows 10. This is the preferred method, however if V-74723 and V-74725 are configured, this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter the following: -Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol - -If "State : Enabled" is returned, this is a finding. - -Alternately: -Search for "Features". - -Select "Turn Windows features on or off". - -If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.WN10-AU-000054<GroupDescription></GroupDescription>WN10-AU-000054The system must be configured to audit Logon/Logoff - Account Lockout failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Account Lockout events can be used to identify potentially malicious logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open a Command Prompt with elevated privileges ("Run as Administrator"). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Account Lockout - FailureWN10-AU-000107<GroupDescription></GroupDescription>WN10-AU-000107The system must be configured to audit Policy Change - Authorization Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authorization Policy Change records events related to changes in user rights, such as Create a token object.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Policy Change >> Authorization Policy Change - SuccessWN10-CC-000038<GroupDescription></GroupDescription>WN10-CC-000038WDigest Authentication must be disabled.<VulnDiscussion>When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". - -The patch referenced in the policy title is not required for Windows 10. - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ - -Value Name: UseLogonCredential - -Type: REG_DWORD -Value: 0x00000000 (0)WN10-CC-000044<GroupDescription></GroupDescription>WN10-CC-000044Internet connection sharing must be disabled.<VulnDiscussion>Internet connection sharing makes it possible for an existing internet connection, such as through wireless, to be shared and used by other systems essentially creating a mobile hotspot. This exposes the system sharing the connection to others with potentially malicious purpose.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Connections >> "Prohibit use of Internet Connection Sharing on your DNS domain network" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Network Connections\ - -Value Name: NC_ShowSharedAccessUI - -Type: REG_DWORD -Value: 0x00000000 (0)WN10-SO-000167<GroupDescription></GroupDescription>WN10-SO-000167Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.<VulnDiscussion>The Windows Security Account Manager (SAM) stores users' passwords. Restricting remote rpc connections to the SAM to Administrators helps protect those credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002235Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM". - -Select "Edit Security" to configure the "Security descriptor:". - -Add "Administrators" in "Group or user names:" if it is not already listed (this is the default). - -Select "Administrators" in "Group or user names:". - -Select "Allow" for "Remote Access" in "Permissions for "Administrators". - -Click "OK". - -The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.Windows 10 v1507 LTSB version does not include this setting, it is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: RestrictRemoteSAM - -Value Type: REG_SZ -Value: O:BAG:BAD:(A;;RC;;;BA)WN10-CC-000197<GroupDescription></GroupDescription>WN10-CC-000197Microsoft consumer experiences must be turned off.<VulnDiscussion>Microsoft consumer experiences provides suggestions and notifications to users, which may include the installation of Windows Store apps. Organizations may control the execution of applications through other means such as whitelisting. Turning off Microsoft consumer experiences will help prevent the unwanted installation of suggested applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Cloud Content >> "Turn off Microsoft consumer experiences" to "Enabled".Windows 10 v1507 LTSB version does not include this setting; it is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CloudContent\ - -Value Name: DisableWindowsConsumerFeatures - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000039<GroupDescription></GroupDescription>WN10-CC-000039Run as different user must be removed from context menus.<VulnDiscussion>The "Run as different user" selection from context menus allows the use of credentials other than the currently logged on user. Using privileged credentials in a standard user session can expose those credentials to theft. Removing this option from context menus helps prevent this from occurring.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Remove "Run as Different User" from context menus" to "Enabled". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry values do not exist or are not configured as specified, this is a finding. -The policy configures the same Value Name, Type and Value under four different registry paths. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Paths: -\SOFTWARE\Classes\batfile\shell\runasuser\ -\SOFTWARE\Classes\cmdfile\shell\runasuser\ -\SOFTWARE\Classes\exefile\shell\runasuser\ -\SOFTWARE\Classes\mscfile\shell\runasuser\ - -Value Name: SuppressionPolicy - -Type: REG_DWORD -Value: 0x00001000 (4096)WN10-00-000210<GroupDescription></GroupDescription>WN10-00-000210Bluetooth must be turned off unless approved by the organization.<VulnDiscussion>If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Turn off Bluetooth radios not organizationally approved. Establish an organizational policy for the use of Bluetooth.This is NA if the system does not have Bluetooth. - -Verify the Bluetooth radio is turned off unless approved by the organization. If it is not, this is a finding. - -Approval must be documented with the ISSO.WN10-00-000220<GroupDescription></GroupDescription>WN10-00-000220Bluetooth must be turned off when not in use.<VulnDiscussion>If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Turn off Bluetooth radios when not in use. Establish an organizational policy for the use of Bluetooth to include training of personnel.This is NA if the system does not have Bluetooth. - -Verify the organization has a policy to turn off Bluetooth when not in use and personnel are trained. If it does not, this is a finding.WN10-00-000230<GroupDescription></GroupDescription>WN10-00-000230The system must notify the user when a Bluetooth device attempts to connect.<VulnDiscussion>If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure Bluetooth to notify users if devices attempt to connect. -View Bluetooth Settings. -Ensure "Alert me when a new Bluetooth device wants to connect" is checked.This is NA if the system does not have Bluetooth, or if Bluetooth is turned off per the organizations policy. - -Search for "Bluetooth". -View Bluetooth Settings. -Select "More Bluetooth Options" -If "Alert me when a new Bluetooth device wants to connect" is not checked, this is a finding.WN10-AU-000084<GroupDescription></GroupDescription>WN10-AU-000084Windows 10 must be configured to audit Object Access - Other Object Access Events failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following: - -Object Access >> Other Object Access Events - Failure - -If the system does not audit the above, this is a finding.WN10-AU-000083<GroupDescription></GroupDescription>WN10-AU-000083Windows 10 must be configured to audit Object Access - Other Object Access Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following: - -Object Access >> Other Object Access Events - Success - -If the system does not audit the above, this is a finding.WN10-CC-000052<GroupDescription></GroupDescription>WN10-CC-000052Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. By default Windows uses ECC curves with shorter key lengths first. Requiring ECC curves with longer key lengths to be prioritized first helps ensure more secure algorithms are used.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000803Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings >> "ECC Curve Order" to "Enabled" with "ECC Curve Order:" including the following in the order listed: - -NistP384 -NistP256If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\ - -Value Name: EccCurves - -Value Type: REG_MULTI_SZ -Value: NistP384 NistP256WN10-CC-000252<GroupDescription></GroupDescription>WN10-CC-000252Windows 10 must be configured to disable Windows Game Recording and Broadcasting.<VulnDiscussion>Windows Game Recording and Broadcasting is intended for use with games, however it could potentially record screen shots of other applications and expose sensitive data. Disabling the feature will prevent this from occurring.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Game Recording and Broadcasting >> "Enables or disables Windows Game Recording and Broadcasting" to "Disabled".This is NA for Windows 10 LTSC\B versions 1507 and 1607. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\GameDVR\ - -Value Name: AllowGameDVR - -Type: REG_DWORD -Value: 0x00000000 (0)WN10-CC-000068<GroupDescription></GroupDescription>WN10-CC-000068Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.<VulnDiscussion>An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Restricted Admin mode or Remote Credential Guard allow delegation of non-exportable credentials providing additional protection of the credentials. Enabling this configures the host to support Restricted Admin mode or Remote Credential Guard.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Remote host allows delegation of non-exportable credentials" to "Enabled".This is NA for Windows 10 LTSC\B versions 1507 and 1607. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\ - -Value Name: AllowProtectedCreds - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-00-000175<GroupDescription></GroupDescription>WN10-00-000175The Secondary Logon service must be disabled on Windows 10.<VulnDiscussion>The Secondary Logon service provides a means for entering alternate credentials, typically used to run commands with elevated privileges. Using privileged credentials in a standard user session can expose those credentials to theft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the "Secondary Logon" service "Startup Type" to "Disabled".Run "Services.msc". - -Locate the "Secondary Logon" service. - -If the "Startup Type" is not "Disabled" or the "Status" is "Running", this is a finding.WN10-AU-000082<GroupDescription></GroupDescription>WN10-AU-000082Windows 10 must be configured to audit Object Access - File Share successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing file shares records events related to connection to shares on a system including system shares such as C$.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File Share" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following: - -Object Access >> File Share - Success - -If the system does not audit the above, this is a finding.WN10-00-000165<GroupDescription></GroupDescription>WN10-00-000165The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. - -Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - -The system must be restarted for the change to take effect.Different methods are available to disable SMBv1 on Windows 10, if V-70639 is configured, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ - -Value Name: SMB1 - -Type: REG_DWORD -Value: 0x00000000 (0)WN10-00-000170<GroupDescription></GroupDescription>WN10-00-000170The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. - -Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - -The system must be restarted for the changes to take effect. Different methods are available to disable SMBv1 on Windows 10, if V-70639 is configured, this is NA. - -If the following registry value is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ - -Value Name: Start - -Type: REG_DWORD -Value: 0x00000004 (4)WN10-AU-000081<GroupDescription></GroupDescription>WN10-AU-000081Windows 10 must be configured to audit Object Access - File Share failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing file shares records events related to connection to shares on a system including system shares such as C$.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit File Share" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open PowerShell or a Command Prompt with elevated privileges ("Run as Administrator"). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following: - -Object Access >> File Share - Failure - -If the system does not audit the above, this is a finding.WN10-00-000190<GroupDescription></GroupDescription>WN10-00-000190Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.<VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.Review the effective User Rights setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) - -If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding.WN10-00-000015<GroupDescription></GroupDescription>WN10-00-000015Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.<VulnDiscussion>UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows 10, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in Legacy BIOS mode will not support these security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure UEFI firmware to run in UEFI mode, not Legacy BIOS mode.For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Verify the system firmware is configured to run in UEFI mode, not Legacy BIOS. - -Run "System Information". - -Under "System Summary", if "BIOS Mode" does not display "UEFI", this is finding.WN10-00-000020<GroupDescription></GroupDescription>WN10-00-000020Secure Boot must be enabled on Windows 10 systems.<VulnDiscussion>Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows 10, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Enable Secure Boot in the system firmware.Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows 10 hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. - -For virtual desktop implementations (VDIs) where the virtual desktop instance is deleted or refreshed upon logoff, this is NA. - -Run "System Information". - -Under "System Summary", if "Secure Boot State" does not display "On", this is finding.WN10-EP-000020<GroupDescription></GroupDescription>WN10-EP-000020Windows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.<VulnDiscussion>Exploit protection in Windows 10 enables mitigations against potential threats at the system and application level. Several mitigations, including "Data Execution Prevention (DEP)", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure Exploit Protection system-level mitigation, "Data Execution Prevention (DEP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Data Execution Prevention (DEP)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <DEP Enable="true"></DEP> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -System". - -If the status of "DEP: Enable" is "OFF", this is a finding. - -Values that would not be a finding include: -ON -NOTSET (Default configuration)WN10-EP-000030<GroupDescription></GroupDescription>WN10-EP-000030Windows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.<VulnDiscussion>Exploit protection in Windows 10 enables mitigations against potential threats at the system and application level. Several mitigations, including "Randomize memory allocations (Bottom-Up ASLR)", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-002824Ensure Exploit Protection system-level mitigation, "Randomize memory allocations (Bottom-Up ASLR)" is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Randomize memory allocations (Bottom-Up ASLR)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <ASLR BottomUp="true"</ASLR> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -System". - -If the status of "ASLR: BottomUp" is "OFF", this is a finding. - -Values that would not be a finding include: -ON -NOTSET (Default configuration)WN10-EP-000040<GroupDescription></GroupDescription>WN10-EP-000040Windows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.<VulnDiscussion>Exploit protection in Windows 10 enables mitigations against potential threats at the system and application level. Several mitigations, including "Control flow guard (CFG)", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure Exploit Protection system-level mitigation, "Control flow guard (CFG)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Control flow guard (CFG)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <ControlFlowGuard Enable="true"></ControlFlowGuard> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -System". - -If the status of "CFG: Enable" is "OFF", this is a finding. - -Values that would not be a finding include: -ON -NOTSET (Default configuration)WN10-EP-000050<GroupDescription></GroupDescription>WN10-EP-000050Windows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.<VulnDiscussion>Exploit protection in Windows 10 enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate exception chains (SEHOP)", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure Exploit Protection system-level mitigation, "Validate exception chains (SEHOP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Validate exception chains (SEHOP)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <SEHOP Enable="true"></SEHOP> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -System". - -If the status of "SEHOP: Enable" is "OFF", this is a finding. - -Values that would not be a finding include: -ON -NOTSET (Default configuration)WN10-EP-000060<GroupDescription></GroupDescription>WN10-EP-000060Windows 10 Exploit Protection system-level mitigation, Validate heap integrity, must be on.<VulnDiscussion>Exploit protection in Windows 10 enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate heap integrity", are enabled by default at the system level. "Validate heap integrity" terminates a process when heap corruption is detected. If this is turned off, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure Exploit Protection system-level mitigation, "Validate heap integrity" is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Validate heap integrity" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <Heap TerminateOnError="true"></Heap> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -System". - -If the status of "Heap: TerminateOnError" is "OFF", this is a finding. - -Values that would not be a finding include: -ON -NOTSET (Default configuration)WN10-EP-000070<GroupDescription></GroupDescription>WN10-EP-000070Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for Acrobat.exe: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name Acrobat.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status of are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000080<GroupDescription></GroupDescription>WN10-EP-000080Exploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for AcroRd32.exe: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot= False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name AcroRd32.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot= False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000090<GroupDescription></GroupDescription>WN10-EP-000090Exploit Protection mitigations in Windows 10 must be configured for chrome.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown forchrome.exe: - -DEP: -OverrideDEP: False - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name chrome.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000100<GroupDescription></GroupDescription>WN10-EP-000100Exploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for EXCEL.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name EXCEL.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000110<GroupDescription></GroupDescription>WN10-EP-000110Exploit Protection mitigations in Windows 10 must be configured for firefox.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown firefox.exe: - -DEP: -Override DEP: False - -ASLR: -BottomUp: ON -ForceRelocateImages: True - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name firefox.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -Override DEP: False - -ASLR: -ForceRelocateImages: True - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000120<GroupDescription></GroupDescription>WN10-EP-000120Exploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for FLTLDR.EXE: - -DEP: -Override DEP: False - -ImageLoad: -ImageLoad OverrideBlockRemoteImages: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - -Child Process: -OverrideChildProcess: False - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name FLTLDR.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -Override DEP: False - -ImageLoad: -ImageLoad OverrideBlockRemoteImages: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - -Child Process: -OverrideChildProcess: False - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000130<GroupDescription></GroupDescription>WN10-EP-000130Exploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown GROOVE.EXE: - -DEP: -OverrideDEP: False - -ASLR: -OverrideBlockRemoteImages: False - -ImageLoad: -ForceRelocateImages: True - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - -Child Process: -OverrideChildProcess: False - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name GROOVE.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: True - -ImageLoad: -OverrideBlockRemoteImages: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - -Child Process: -OverrideChildProcess: False - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000140<GroupDescription></GroupDescription>WN10-EP-000140Exploit Protection mitigations in Windows 10 must be configured for iexplore.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for iexplore.exe: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name iexplore.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000150<GroupDescription></GroupDescription>WN10-EP-000150Exploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for INFOPATH.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name INFOPATH.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000160<GroupDescription></GroupDescription>WN10-EP-000160Exploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured for java.exe, javaw.exe, and javaws.exe: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]: -java.exe, javaw.exe, and javaws.exe -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000170<GroupDescription></GroupDescription>WN10-EP-000170Exploit Protection mitigations in Windows 10 must be configured for lync.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for lync.exe: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name lync.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000180<GroupDescription></GroupDescription>WN10-EP-000180Exploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for MSACCESS.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name MSACCESS.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status of are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000190<GroupDescription></GroupDescription>WN10-EP-000190Exploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for MSPUB.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name MSPUB.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000210<GroupDescription></GroupDescription>WN10-EP-000210Exploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured for OneDrive.exe: - -DEP: -Override DEP: False - -ASLR: -OverrideRelocateImages: False - -ImageLoad: -OverrideBlockRemoteImages: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name OneDrive.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -Override DEP: False - -ASLR: -OverrideRelocateImages: False - -ImageLoad: -OverrideBlockRemoteImages: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000200<GroupDescription></GroupDescription>WN10-EP-000200Exploit Protection mitigations in Windows 10 must be configured for OIS.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for OIS.EXE: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name OIS.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000220<GroupDescription></GroupDescription>WN10-EP-000220Exploit Protection mitigations in Windows 10 must be configured for OUTLOOK.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for OUTLOOK.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name OUTLOOK.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000230<GroupDescription></GroupDescription>WN10-EP-000230Exploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are turned "ON" for plugin-container.exe: - -DEP: -Enable: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name plugin-container.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have a status of "ON", this is a finding: - -DEP: -Enable: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000240<GroupDescription></GroupDescription>WN10-EP-000240Exploit Protection mitigations in Windows 10 must be configured for POWERPNT.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for POWERPNT.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name POWERPNT.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000250<GroupDescription></GroupDescription>WN10-EP-000250Exploit Protection mitigations in Windows 10 must be configured for PPTVIEW.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for PPTVIEW.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name PPTVIEW.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000260<GroupDescription></GroupDescription>WN10-EP-000260Exploit Protection mitigations in Windows 10 must be configured for VISIO.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for VISIO.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name VISIO.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000270<GroupDescription></GroupDescription>WN10-EP-000270Exploit Protection mitigations in Windows 10 must be configured for VPREVIEW.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for VPREVIEW.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name VPREVIEW.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000280<GroupDescription></GroupDescription>WN10-EP-000280Exploit Protection mitigations in Windows 10 must be configured for WINWORD.EXE.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for WINWORD.EXE: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name WINWORD.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -ASLR: -ForceRelocateImages: ON - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status of are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000290<GroupDescription></GroupDescription>WN10-EP-000290Exploit Protection mitigations in Windows 10 must be configured for wmplayer.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for wmplayer.exe: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name wmplayer.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-EP-000300<GroupDescription></GroupDescription>WN10-EP-000300Exploit Protection mitigations in Windows 10 must be configured for wordpad.exe.<VulnDiscussion>Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows 10 may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Ensure the following mitigations are configured as shown for wordpad.exe: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the Windows 10 STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location.This is NA prior to v1709 of Windows 10. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name wordpad.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have the listed status which is shown below, this is a finding: - -DEP: -OverrideDEP: False - -Payload: -OverrideEnableExportAddressFilter: False -OverrideEnableExportAddressFilterPlus: False -OverrideEnableImportAddressFilter: False -OverrideEnableRopStackPivot: False -OverrideEnableRopCallerCheck: False -OverrideEnableRopSimExec: False - - -The PowerShell command produces a list of mitigations; only those with a required status are listed here. If the PowerShell command does not produce results, ensure the letter case of the filename within the command syntax matches the letter case of the actual filename on the system.WN10-00-000240<GroupDescription></GroupDescription>WN10-00-000240Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.<VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. - -Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy requires administrative accounts to not access the Internet or use applications, such as email. - -The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Technical means such as application whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Establish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. - -The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. - -If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.WN10-UC-000005<GroupDescription></GroupDescription>WN10-UC-000005The use of personal accounts for OneDrive synchronization must be disabled.<VulnDiscussion>OneDrive provides access to external services for data storage, which must be restricted to authorized instances. Enabling this setting will prevent the use of personal OneDrive accounts for synchronization.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for User Configuration >> Administrative Templates >> OneDrive >> "Prevent users from synchronizing personal OneDrive accounts" to "Enabled". - -Group policy files for OneDrive are located on a system with OneDrive in "%localappdata%\Microsoft\OneDrive\BuildNumber\adm\". - -Copy the OneDrive.admx and .adml files to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Policies\Microsoft\OneDrive\ - -Value Name: DisablePersonalSync - -Value Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000238<GroupDescription></GroupDescription>WN10-CC-000238Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.<VulnDiscussion>Web security certificates provide an indication whether a site is legitimate. This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Edge >> "Prevent certificate error overrides" to "Enabled".This setting is applicable starting with v1809 of Windows 10; it is NA for prior versions. - -Windows 10 LTSC\B versions do not include Microsoft Edge; this is NA for those systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\ - -Value Name: PreventCertErrorOverrides - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000204<GroupDescription></GroupDescription>WN10-CC-000204If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Enhanced" level for telemetry includes additional information beyond "Security" and "Basic" on how Windows and apps are used and advanced reliability data. Windows Analytics can use a "limited enhanced" level to provide information such as health data for devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds >> "Limit Enhanced diagnostic data to the minimum required by Windows Analytics" to "Enabled" with "Enable Windows Analytics collection" selected in "Options:".This setting requires v1709 or later of Windows 10; it is NA for prior versions. - -If "Enhanced" level is enabled for telemetry, this must be configured. If "Security" or "Basic" are configured, this is NA. (See V-63683). - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ - -Value Name: LimitEnhancedDiagnosticDataWindowsAnalytics - -Type: REG_DWORD -Value: 0x00000001 (1)WN10-CC-000340<GroupDescription></GroupDescription>WN10-CC-000340OneDrive must only allow synchronizing of accounts for DoD organization instances.<VulnDiscussion>OneDrive provides access to external services for data storage, which must be restricted to authorized instances if enabled. Configuring this setting will restrict synchronizing of OneDrive accounts to DoD organization instances.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> OneDrive >> "Allow syncing OneDrive accounts for only specific organizations", with the Tenant GUID of the organization's DoD instance in the format 1111-2222-3333-4444. - -If the organization does not have an instance of OneDrive, configure the Tenant GUID with "1111-2222-3333-4444". - -Group policy files for OneDrive are located on a system with OneDrive in "%localappdata%\Microsoft\OneDrive\BuildNumber\adm\". - -Copy the OneDrive.admx and .adml files to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the organization is using a DoD instance of OneDrive, verify synchronizing is only allowed to the organization's DoD instance. - -If the organization does not have an instance of OneDrive, verify this is configured with the noted dummy entry to prevent synchronizing with other instances. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\OneDrive\AllowTenantList\ - -Value Name: Organization's Tenant GUID - -Value Type: REG_SZ -Value: Organization's Tenant GUID - -If the organization does not have an instance of OneDrive the Value Name and Value must be 1111-2222-3333-4444, if not this is a finding.WN10-CC-000365<GroupDescription></GroupDescription>WN10-CC-000365Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.<VulnDiscussion>Allowing Windows apps to be activated by voice from the lock screen could allow for unauthorized use. Requiring logon will ensure the apps are only used by authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000056Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Privacy >> "Let Windows apps activate with voice while the system is locked" to "Enabled" with “Default for all Apps:” set to “Force Deny”. - -The requirement is NA if the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> App Privacy >> "Let Windows apps activate with voice" is configured to "Enabled" with “Default for all Apps:” set to “Force Deny”.This setting requires v1903 or later of Windows 10; it is NA for prior versions. The setting is NA when the “Allow voice activation” policy is configured to disallow applications to be activated with voice for all users. -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\ - -Value Name: LetAppsActivateWithVoiceAboveLock - -Type: REG_DWORD -Value: 0x00000002 (2) - -If the following registry value exists and is configured as specified, requirement is NA. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\ - -Value Name: LetAppsActivateWithVoice - -Type: REG_DWORD -Value: 0x00000002 (2)WN10-00-000031<GroupDescription></GroupDescription>WN10-00-000031Windows 10 systems must use a BitLocker PIN for pre-boot authentication.<VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001199CCI-002475CCI-002476Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Require additional authentication at startup" to "Enabled" with "Configure TPM Startup PIN:" set to "Require startup PIN with TPM" or with "Configure TPM startup key and PIN:" set to "Require startup key and PIN with TPM".If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ - -Value Name: UseAdvancedStartup -Type: REG_DWORD -Value: 0x00000001 (1) - -If one of the following registry values does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ - -Value Name: UseTPMPIN -Type: REG_DWORD -Value: 0x00000001 (1) - -Value Name: UseTPMKeyPIN -Type: REG_DWORD -Value: 0x00000001 (1) - - -BitLocker network unlock may be used in conjunction with a BitLocker PIN. See the article below regarding information about network unlock. - -https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlockWN10-00-000032<GroupDescription></GroupDescription>WN10-00-000032Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication.<VulnDiscussion>If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the pin length requires a greater number of guesses for an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001199CCI-002475CCI-002476Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ - -Value Name: MinimumPIN -Type: REG_DWORD -Value: 0x00000006 (6) or greaterWN10-AU-000565<GroupDescription></GroupDescription>WN10-AU-000565Windows 10 must be configured to audit other Logon/Logoff Events Failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Logon events are essential to understanding user activity and detecting potential attacks. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Other Logon/Logoff Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Other Logon/Logoff Events - Failure -WN10-AU-000560<GroupDescription></GroupDescription>WN10-AU-000560Windows 10 must be configured to audit other Logon/Logoff Events Successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events. Logon events are essential to understanding user activity and detecting potential attacks. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Other Logon/Logoff Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Logon/Logoff >> Other Logon/Logoff Events - Success -WN10-AU-000570<GroupDescription></GroupDescription>WN10-AU-000570Windows 10 must be configured to audit Detailed File Share Failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder. -The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> “Detailed File Share" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Object Access >> Detailed File Share - Failure -WN10-AU-000575<GroupDescription></GroupDescription>WN10-AU-000575Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Policy Change >> MPSSVC Rule-Level Policy Change - Success -WN10-AU-000580<GroupDescription></GroupDescription>WN10-AU-000580Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> “Audit MPSSVC Rule-Level Policy Change" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Policy Change >> MPSSVC Rule-Level Policy Change - Failure -WN10-AU-000550<GroupDescription></GroupDescription>WN10-AU-000550Windows 10 must be configured to audit Other Policy Change Events Successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change>> "Audit Other Policy Change Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Policy Change >> Other Policy Change Events - Success -WN10-AU-000555<GroupDescription></GroupDescription>WN10-AU-000555Windows 10 must be configured to audit Other Policy Change Events Failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change>> "Audit Other Policy Change Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN10-SO-000030) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: -Open a Command Prompt with elevated privileges ("Run as Administrator"). -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding: - -Policy Change >> Other Policy Change Events - Failure -WN10-SO-000280<GroupDescription></GroupDescription>WN10-SO-000280Passwords for enabled local Administrator accounts must be changed at least every 60 days.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. A local Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for enabled Administrator accounts on a regular basis will limit its exposure. - -Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000199Change the enabled local Administrator account password at least every "60" days. - -Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to meet this requirement. -Review the password last set date for the enabled local Administrator account. - -On the local domain joined workstation: - -Open "PowerShell". - -Enter "Get-LocalUser –Name * | Select-Object *” - -If the "PasswordLastSet" date is greater than "60" days old for the local Administrator account for administering the computer/domain, this is a finding. -WN10-EP-000310<GroupDescription></GroupDescription>WN10-EP-000310Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.<VulnDiscussion>Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-001090Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Kernel DMA Protection >> "Enumeration policy for external devices incompatible with Kernel DMA Protection" to "Enabled" with "Enumeration Policy" set to "Block All".This is NA prior to v1803 of Windows 10. - -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Kernel DMA Protection - -Value Name: DeviceEnumerationPolicy -Value Type: REG_DWORD -Value: 0WN10-CC-000370<GroupDescription></GroupDescription>WN10-CC-000370The convenience PIN for Windows 10 must be disabled. <VulnDiscussion>This policy controls whether a domain user can sign in using a convenience PIN to prevent enabling (Password Stuffer).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Disable the convenience PIN sign-in. - -If this needs to be corrected configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> Set "Turn on convenience PIN sign-in" to "Disabled”. -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\System - -Value Name: AllowDomainPINLogon -Value Type: REG_DWORD -Value data: 0WN10-CC-000385<GroupDescription></GroupDescription>WN10-CC-000385Windows Ink Workspace configured but disallow access above the lock. <VulnDiscussion>Securing Windows Ink which contains application and features oriented towards pen computing. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Disable the convenience PIN sign-in. - -If this needs to be corrected configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Ink Workspace >> Set " Allow Windows Ink Workspace" to "Enabled” Set Options ‘On, but disallow access above lock”. -If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\WindowsInkWorkspace - -Value Name: AllowWindowsInkWorkspace -Value Type: REG_DWORD -Value data: 1 - -WN10-CC-000390<GroupDescription></GroupDescription>WN10-CC-000390Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications. <VulnDiscussion>Windows spotlight features may suggest apps and content from third-party software publishers in addition to Microsoft apps and content. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Cloud Content >> "Do not suggest third-party content in Windows spotlight" to "EnabledIf the following registry value does not exist or is not configured as specified, this is a finding. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CloudContent\ - -Value Name: DisableThirdPartySuggestions - -Type: REG_DWORD -Value: 0x00000001 (1) - -SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN10-CC-000007Windows 10 must cover or disable the built-in or attached camera when not in use.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. - -Failing to disconnect from collaborative computing devices (i.e. cameras) can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants actually carry out the disconnect activity without having to go through complex and tedious procedures. - -Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155 -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 10DISADPMS TargetWindows 102885CCI-000381If the camera is not disconnected or covered, the following registry entry is required. - -Registry Hive: HKEY_LOCAL_MACHINE -RegistryPath\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam - -Value Name: Deny -If the device or operating system does not have a camera installed, this requirement is not applicable. - -This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. - -This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. - -For an external camera, if there is not a method for the operator to manually disconnect camera at the end of collaborative computing sessions, this is a finding. - -For a built-in camera, the camera must be protected by a camera cover (e.g. laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or if the built-in -camera is not disabled in the bios, this is a finding. - -If the camera is not disconnected or covered, the following registry entry is required: - -Registry Hive: HKEY_LOCAL_MACHINE -RegistryPath\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam - -Value Name: Deny - -If "Value Name" is set to a value other than "Deny" and the collaborative computing device has not been authorized for use, this is a finding. - diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.log new file mode 100644 index 000000000..24a7df026 --- /dev/null +++ b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.log @@ -0,0 +1,16 @@ +V-220745::"Minimum password length,"::"Minimum password length" +V-220747::"Store password using reversible encryption"::"Store passwords using reversible encryption" +V-220836::*::HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = 'Block'; ValueName = 'ShellSmartScreenLevel'; ValueType = 'String'}HardCodedRule(RegistryRule)@{DscResource = 'RegistryPolicyFile'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'; ValueData = $null; ValueName = 'EnableSmartScreen'; ValueType = 'Dword'; OrganizationValueTestString = "{0} -eq 1|2"} +V-220860::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ +V-220805::Registry Path: \SOFTWARE\Policies\Microsoft\ Cryptography\Configuration\SSL\00010002\::Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\ +V-220704::*::HardCodedRule(RegistryRule)@{DscResource = 'Registry'; Ensure = 'Present'; Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE'; ValueData = $null; ValueName = 'MinimumPIN'; ValueType = 'DWord'; OrganizationValueTestString = 'ValueData is set to 0x00000006 (6) or greater '} +V-220870::Value data: 0::Value: 0x00000000 (0) +V-220871::Value data: 1::Value: 0x00000001 (1) +V-220793::RegistryPath\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam::Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam +V-220793::This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.::ValueType: REG_SZ +V-220793::This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.::Value: Deny +V-220793::Value Name: Deny::ValueName: Value +V-220961::NT SERVICE\autotimesvc is added in v1909 cumulative update.::NT SERVICE\autotimesvc +V-220891::OverrideExportAddressFilter: False::OverrideEnableExportAddressFilter: False +V-220891::OverrideExportAddressFilterPlus: False::OverrideEnableExportAddressFilterPlus: False +V-220891::OverrideImportAddressFilter: False::OverrideEnableImportAddressFilter: False diff --git a/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.xml b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.xml new file mode 100644 index 000000000..2e27b4adb --- /dev/null +++ b/source/StigData/Archive/Windows.Client/U_MS_Windows_10_STIG_V2R1_Manual-xccdf.xml @@ -0,0 +1,4540 @@ +acceptedWindows 10 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 13 Nov 20203.1.1.362251.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-APP-000279<GroupDescription></GroupDescription>WNDF-AV-000001Windows Defender AV must be configured to enable the Potentially Unwanted Application (PUA) feature.<VulnDiscussion>After enabling this feature, Potentially Unwanted Application (PUA) protection blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances. PUA will be blocked and automatically quarantined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001243Set the policy value for Computer Configuration -> Administrative Templates -> MS Security Guide -> "Turn on Windows Defender protection against Potentially Unwanted Applications" to “Enabled”. - -This policy setting requires the installation of the SecGuide custom templates included with the Windows 10 STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. -Verify the policy value for Computer Configuration -> Administrative Templates -> MS Security Guide -> "Turn on Windows Defender protection against Potentially Unwanted Applications" is set to "Enabled". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine - -Criteria: If the value "MpEnablePus" is REG_DWORD = 1, this is not a finding.SRG-APP-000279<GroupDescription></GroupDescription>WNDF-AV-000003Windows Defender AV must be configured to automatically take action on all detected tasks.<VulnDiscussion>This policy setting allows you to configure whether Windows Defender automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action user-defined action and the signature-defined action. If you enable this policy setting Windows Defender does not automatically take action on the detected threats but prompts users to choose from the actions available for each threat. If you disable or do not configure this policy setting Windows Defender automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001243Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> "Turn off routine remediation" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> "Turn off routine remediation" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender - -Criteria: If the value "DisableRoutinelyTakingAction" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000004Windows Defender AV must be configured to run and scan for malware and other potentially unwanted software.<VulnDiscussion>This policy setting turns off Windows Defender Antivirus. If you enable this policy setting Windows Defender Antivirus does not run and computers are not scanned for malware or other potentially unwanted software. When the setting is Disabled and a third-party antivirus solution is installed, the two applications can both simultaneously try to protect the system. The two AV solutions both attempt to quarantine the same threat and will fight for access to delete the file. Users will see conflicts and the system may lock up until the two solutions finish processing. When the setting is Not Configured and a third-party antivirus solution is installed, both applications co-exist on the system without conflicts. Defender Antivirus will automatically disable itself and will enable if the third-party solution stops functioning. When the setting is Not Configured and Defender Antivirus is the only AV solution, Defender AV will run (default state) and receive definition updates. An administrator account is needed to turn off the service. A standard user cannot disable the service. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242For Windows 10: Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus set "Turn off Windows Defender Antivirus" to "Not Configured". - -For Windows 2016/Windows 2019: Use the following PowerShell cmdlet to uninstall Windows Defender AV on Windows 2016/Windows 2019: -Uninstall-WindowsFeature -Name Windows-Defender - -Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> "Turn off Windows Defender Antivirus" is set to “Not Configured”. - -For Windows 10: -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender - -Criteria: If the value "DisableAntiSpyware" does not exist, this is not a finding. - -For Windows Server 2016/Windows Server 2019: -Note: This only applies when a third-party antivirus solution is enforced on the system. -Due to changes from Microsoft in the Server 2016/Server 2019 architecture, Windows Defender Antivirus will not disable itself when other antivirus products are detected. Microsoft has also removed API's for other Antivirus software to cleanly stop and disable Windows Defender AV. This was a design choice by Microsoft to maximize protection in Server 2016/Server 2019. - -If there is a third-party antivirus product enforced on the system, the Windows Defender Antivirus must be uninstalled. - -Procedure: Access Add Roles and Features Wizard >> Features - -Criteria: If “Windows Defender Features (Installed) is selected, this is a finding. -SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000005Windows Defender AV must be configured to not exclude files for scanning.<VulnDiscussion>This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair where the name should be a string representation of a path or a fully qualified resource name. As an example a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Exclusions -> "Path Exclusions" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Exclusions -> "Path Exclusions" is set to "Disabled" or "Not Configured. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions - -Criteria: If the value "Exclusions_Paths" does not exist, this is not a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000006Windows Defender AV must be configured to not exclude files opened by specified processes.<VulnDiscussion>This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Exclusions -> "Process Exclusions" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Exclusions -> "Process Exclusions" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions - -Criteria: If the value "Exclusions_Processes" does not exist, this is not a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000007Windows Defender AV must be configured to enable the Automatic Exclusions feature.<VulnDiscussion>Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Exclusions -> "Turn off Auto Exclusions" to "Disabled".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Exclusions -> "Turn off Auto Exclusions" is set to "Disabled". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions - -Criteria: If the value "DisableAutoExclusions" is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000008Windows Defender AV must be configured to disable local setting override for reporting to Microsoft MAPS.<VulnDiscussion>This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170This is applicable to unclassified systems, for other systems this is NA. - -Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure local setting override for reporting to Microsoft MAPS" to "Disabled" or "Not Configured".This is applicable to unclassified systems, for other systems this is NA. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure local setting override for reporting to Microsoft MAPS" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Spynet - -Criteria: If the value "LocalSettingOverrideSpynetReporting" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000009Windows Defender AV must be configured to check in real time with MAPS before content is run or accessed.<VulnDiscussion>This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled the check will not occur which will lower the protection state of the device. Enabled - The Block at First Sight setting is turned on. Disabled - The Block at First Sight setting is turned off. This feature requires these Group Policy settings to be set as follows: MAPS -> The "Join Microsoft MAPS" must be enabled or the "Block at First Sight" feature will not function. MAPS -> The "Send file samples when further analysis is required" should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. Real-time Protection -> The "Scan all downloaded files and attachments" policy must be enabled or the "Block at First Sight" feature will not function. Real-time Protection -> Do not enable the "Turn off real-time protection" policy or the "Block at First Sight" feature will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242This is applicable to unclassified systems, for other systems this is NA. - -Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure the 'Block at First Sight' feature" to "Enabled".This is applicable to unclassified systems, for other systems this is NA. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Configure the 'Block at First Sight' feature" is set to "Enabled". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Spynet - -Criteria: If the value "DisableBlockAtFirstSeen" is REG_DWORD = 0, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000010Windows Defender AV must be configured to not join Microsoft MAPS.<VulnDiscussion>This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However Microsoft will not use this information to identify you or contact you. Possible options are: (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. If you enable this setting you will join Microsoft MAPS with the membership specified. If you disable or do not configure this setting you will not join Microsoft MAPS. In Windows 10 Basic membership is no longer available so setting the value to 1 or 2 enrolls the device into Advanced membership. - -Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this feature will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. This setting disables Microsoft Active Protection Service membership and reporting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170This is applicable to unclassified systems, for other systems this is NA. - -Set the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> MAPS >> "Join Microsoft MAPS" to "Disabled" and select "Advanced MAPS" from the drop-down box. - -This is applicable to unclassified systems, for other systems this is NA. - -Verify the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender Antivirus >> MAPS >> "Join Microsoft MAPS" is set to "Disabled" and "Advanced MAPS" is selected from the drop down box. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Spynet - -Criteria: If the value "SpynetReporting" is REG_DWORD = 2 or REG_DWORD = 1, this is not a finding. - -SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000011Windows Defender AV must be configured to only send safe samples for MAPS telemetry.<VulnDiscussion>This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samples automatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170This is applicable to unclassified systems, for other systems this is NA. - -Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Send file samples when further analysis is required" to "Enabled" and select "Send safe samples" from the drop down box.This is applicable to unclassified systems, for other systems this is NA. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> MAPS -> "Send file samples when further analysis is required" is set to "Enabled" and "Send safe samples" selected from the drop down box. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Spynet - -Criteria: If the value "SubmitSamplesConsent" is REG_DWORD = 1, this is not a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000012Windows Defender AV must be configured for protocol recognition for network protection.<VulnDiscussion>This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting protocol recognition will be enabled. If you disable this setting protocol recognition will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Network Inspection System -> "Turn on protocol recognition" to "Enabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Network Inspection System -> "Turn on protocol recognition" is set to "Enabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\NIS - -Criteria: If the value "DisableProtocolRecognition" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000112<GroupDescription></GroupDescription>WNDF-AV-000013Windows Defender AV must be configured to not allow local override of monitoring for file and program activity.<VulnDiscussion>This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for monitoring file and program activity on your computer" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for monitoring file and program activity on your computer" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "LocalSettingOverrideDisableOnAccessProtection" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000112<GroupDescription></GroupDescription>WNDF-AV-000014Windows Defender AV must be configured to not allow override of monitoring for incoming and outgoing file activity.<VulnDiscussion>This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001695Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for monitoring for incoming and outgoing file activity" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for monitoring for incoming and outgoing file activity" is set to "Disabled" or "Not Configure". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "LocalSettingOverrideRealtimeScanDirection" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000209<GroupDescription></GroupDescription>WNDF-AV-000015Windows Defender AV must be configured to not allow override of scanning for downloaded files and attachments.<VulnDiscussion>This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for scanning all downloaded files and attachments" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for scanning all downloaded files and attachments" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "LocalSettingOverrideDisableIOAVProtection" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000016Windows Defender AV must be configured to not allow override of behavior monitoring.<VulnDiscussion>This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for turn on behavior monitoring" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override for turn on behavior monitoring" is set to "Disabled" or "Not Configure". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "LocalSettingOverrideDisableBehaviorMonitoring" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000017Windows Defender AV Group Policy settings must take priority over the local preference settings.<VulnDiscussion>This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override to turn on real-time protection" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure local setting override to turn on real-time protection" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "LocalSettingOverrideDisableRealtimeMonitoring" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000018Windows Defender AV must monitor for incoming and outgoing files.<VulnDiscussion>This policy setting allows you to configure monitoring for incoming and outgoing files without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes. For any other file system type full monitoring of file and program activity will be present on those volumes. The options for this setting are mutually exclusive: 0 = Scan incoming and outgoing files (default) 1 = Scan incoming files only 2 = Scan outgoing files only Any other value or if the value does not exist resolves to the default (0). If you enable this setting the specified type of monitoring will be enabled. If you disable or do not configure this setting monitoring for incoming and outgoing files will be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure monitoring for incoming and outgoing file and program activity" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Configure monitoring for incoming and outgoing file and program activity" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "RealtimeScanDirection" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1 or 2, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000019Windows Defender AV must be configured to monitor for file and program activity.<VulnDiscussion>This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting monitoring for file and program activity will be enabled. If you disable this setting monitoring for file and program activity will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Monitor file and program activity on your computer" to "Enabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Monitor file and program activity on your computer to be scanned" is set to "Enabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "DisableOnAccessProtection" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000209<GroupDescription></GroupDescription>WNDF-AV-000020Windows Defender AV must be configured to scan all downloaded files and attachments.<VulnDiscussion>This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting scanning for all downloaded files and attachments will be enabled. If you disable this setting scanning for all downloaded files and attachments will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001169Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Scan all downloaded files and attachments" to "Enabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Scan all downloaded files and attachments" is set to "Enabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "DisableIOAVProtection" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000021Windows Defender AV must be configured to always enable real-time protection.<VulnDiscussion>This policy setting turns off real-time protection prompts for known malware detection. Windows Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. If you enable this policy setting Windows Defender Antivirus will not prompt users to take actions on malware detections. If you disable or do not configure this policy setting Windows Defender Antivirus will prompt users to take actions on malware detections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Turn off real-time protection" to "Disabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Turn off real-time protection" is set to "Disabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "DisableRealtimeMonitoring" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000022Windows Defender AV must be configured to enable behavior monitoring.<VulnDiscussion>This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting behavior monitoring will be enabled. If you disable this setting behavior monitoring will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Turn on behavior monitoring" to "Enabled " or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Turn on behavior monitoring" is set to "Enabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "DisableBehaviorMonitoring" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000023Windows Defender AV must be configured to process scanning when real-time protection is enabled.<VulnDiscussion>This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting a process scan will be initiated when real-time protection is turned on. If you disable this setting a process scan will not be initiated when real-time protection is turned on.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> Turn on process scanning whenever real-time protection is enabled to "Enabled" or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Real-time Protection -> "Turn on process scanning whenever real-time protection is enabled" is set to "Enabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - -Criteria: If the value "DisableScanOnRealtimeEnable" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000278<GroupDescription></GroupDescription>WNDF-AV-000024Windows Defender AV must be configured to scan archive files.<VulnDiscussion>This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting archive files will be scanned. If you disable this setting archive files will not be scanned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001242Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Scan archive files" to "Enabled " or "Not Configured".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Scan archive files" is set to "Enabled" or "Not Configured". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Scan - -Criteria: If the value "DisableArchiveScanning" is REG_DWORD = 0, this is not a finding. - -If the value does not exist, this is not a finding. - -If the value is 1, this is a finding.SRG-APP-000073<GroupDescription></GroupDescription>WNDF-AV-000025Windows Defender AV must be configured to scan removable drives.<VulnDiscussion>This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives such as USB flash drives when running a full scan. If you enable this setting removable drives will be scanned during any type of scan. If you disable or do not configure this setting removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-000870Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Scan removable drives" to "Enabled".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Scan removable drives" is set to "Enabled". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Scan - -Criteria: If the value "DisableRemovableDriveScanning" is REG_DWORD = 0, this is not a finding.SRG-APP-000277<GroupDescription></GroupDescription>WNDF-AV-000026Windows Defender AV must be configured to perform a weekly scheduled scan.<VulnDiscussion>This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) If you enable this setting a scheduled scan will run at the frequency specified. If you disable or do not configure this setting a scheduled scan will run at a default frequency.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001241Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Specify the day of the week to run a scheduled scan" to "Enabled " and select anything other than "Never" in the drop down box.Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Specify the day of the week to run a scheduled scan" is set to "Enabled" and anything other than "Never" selected in the drop down box. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Scan - -Criteria: If the value "ScheduleDay" is REG_DWORD = 0x8, this is a finding. - -Values of 0x0 through 0x7 are acceptable and not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000027Windows Defender AV must be configured to turn on e-mail scanning.<VulnDiscussion>This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled the engine will parse the mailbox and mail files according to their specific format in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported for example: pst (Outlook) dbx mbx mime (Outlook Express) binhex (Mac). If you enable this setting e-mail scanning will be enabled. If you disable or do not configure this setting e-mail scanning will be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Turn on e-mail scanning" to "Enabled".Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Scan -> "Turn on e-mail scanning" is set to "Enabled". - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Scan - -Criteria: If the value "DisableEmailScanning" is REG_DWORD = 0, this is not a finding.SRG-APP-000276<GroupDescription></GroupDescription>WNDF-AV-000028Windows Defender AV spyware definition age must not exceed 7 days.<VulnDiscussion>This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date this state may trigger several additional actions including falling back to an alternative update source or displaying a warning icon in the user interface. By default this value is set to 14 days. If you enable this setting spyware definitions will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting spyware definitions will be considered out of date after the default number of days have passed without an update.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001240Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Signature Updates -> "Define the number of days before spyware definitions are considered out of date" to "Enabled" and select "7" or less in the drop down box. - -Do not select a value of 0. This disables the option.Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Signature Updates -> "Define the number of days before spyware definitions are considered out of date" is set to "Enabled" and "7"or less selected in the drop down box (excluding "0", which is unacceptable). - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - -Criteria: If the value "ASSignatureDue" is REG_DWORD = 7, this is not a finding. - -A value of 1 - 6 is also acceptable and not a finding. - -A value of 0 is a finding. - -A value higher than 7 is a finding.SRG-APP-000276<GroupDescription></GroupDescription>WNDF-AV-000029Windows Defender AV virus definition age must not exceed 7 days.<VulnDiscussion>This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date this state may trigger several additional actions including falling back to an alternative update source or displaying a warning icon in the user interface. By default this value is set to 14 days. If you enable this setting virus definitions will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting virus definitions will be considered out of date after the default number of days have passed without an update.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001240Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Signature Updates -> "Define the number of days before virus definitions are considered out of date" to "Enabled" and select "7" or less in the drop down box. - -Do not select a value of 0. - -This disables the option.Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Signature Updates -> "Define the number of days before virus definitions are considered out of date" is set to "Enabled" and "7" or less selected in the drop down box (excluding "0", which is unacceptable). - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates - -Criteria: If the value "AVSignatureDue" is REG_DWORD = 7, this is not a finding. - -A value of 1 - 6 is also acceptable and not a finding. - -A value of 0 is a finding. - -A value higher than 7 is a finding.SRG-APP-000261<GroupDescription></GroupDescription>WNDF-AV-000030Windows Defender AV must be configured to check for definition updates daily.<VulnDiscussion>This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day (default) (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never If you enable this setting the check for definition updates will occur at the frequency specified. If you disable or do not configure this setting the check for definition updates will occur at a default frequency.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001308Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Signature Updates -> "Specify the day of the week to check for definition updates" to "Enabled" and select "Every Day" in the drop down box.Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Signature Updates -> "Specify the day of the week to check for definition updates" is set to "Enabled" and "Every Day" is selected in the drop down box. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Signature Update - -Criteria: If the value "ScheduleDay" is REG_DWORD = 0, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>WNDF-AV-000031Windows Defender AV must be configured for automatic remediation action to be taken for threat alert level Severe.<VulnDiscussion>This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = Severe Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" to "Enabled". Select the “Show…” option box and enter "5” in the ‘Value name’ field and enter “2" in the ‘Value’ field. Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled". Click the “Show…” box option and verify the ‘Value name’ field contains a value of “5” and the ‘Value’ field contains a “2". A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - -Criteria: If the value "5" is REG_SZ = 2 (or 3), this is not a finding. -SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000032Windows Defender AV must be configured to block executable content from email client and webmail.<VulnDiscussion>This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): -Executable files (such as .exe, .dll, or .scr) -Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -Script archive files</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550” and the Value to “1”.This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000033Windows Defender AV must be configured block Office applications from creating child processes.<VulnDiscussion>Office apps, such as Word or Excel, will not be allowed to create child processes. -This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “D4F940AB-401B-4EFC-AADC-AD5F3C50688A” and the Value to “1”.This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “D4F940AB-401B-4EFC-AADC-AD5F3C50688A” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000034Windows Defender AV must be configured block Office applications from creating executable content.<VulnDiscussion>This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is a typical malware technique. -Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “3B576869-A4EC-4529-8536-B80A7769E899” and the Value to “1”. This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: 3B576869-A4EC-4529-8536-B80A7769E899 -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “3B576869-A4EC-4529-8536-B80A7769E899” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000035Windows Defender AV must be configured to block Office applications from injecting into other processes.<VulnDiscussion>Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84” and the Value to “1”. This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000036Windows Defender AV must be configured to impede JavaScript and VBScript to launch executables.<VulnDiscussion>JavaScript and VBScript scripts can be used by malware to launch other malicious apps. -This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “D3E037E1-3EB8-44C8-A917-57927947596D” and the Value to “1”. This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: D3E037E1-3EB8-44C8-A917-57927947596D -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “D3E037E1-3EB8-44C8-A917-57927947596D” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000037Windows Defender AV must be configured to block execution of potentially obfuscated scripts.<VulnDiscussion>Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. -It uses the AntiMalwareScanInterface (AMSI) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “5BEB7EFE-FD9A-4556-801D-275E5FFC04CC” and the Value to “1”. This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “5BEB7EFE-FD9A-4556-801D-275E5FFC04CC” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000038Windows Defender AV must be configured to block Win32 imports from macro code in Office.<VulnDiscussion>This rule blocks potentially malicious behavior by not allowing macro code to execute routines in the Win 32 dynamic link library (DLL). </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" to "Enabled”. Click ‘Show...’. Set the Value name to “92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B” and the Value to “1”. This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - -Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Attack Surface Reduction -> "Configure Attack Surface Reduction rules" is set to "Enabled”. Click ‘Show...’. Verify the rule ID in the Value name column and the desired state in the Value column is set as follows: -Value name: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Value: 1 - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - -Criteria: If the value “92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B” is REG_SZ = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>WNDF-AV-000039Windows Defender AV must be configured to prevent user and apps from accessing dangerous websites.<VulnDiscussion>Enable Windows Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams exploit-hosting sites and other malicious content on the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001170Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Network Protection -> "Prevent users and apps from accessing dangerous websites" to "Enabled” and select “Block" in the drop down box.This setting is applicable starting with v1709 of Windows 10, it is NA for prior versions. - - Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Windows Defender Exploit Guard -> Network Protection -> "Prevent users and apps from accessing dangerous websites" is set to "Enabled” and “Block" selected in the drop down box. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - -Criteria: If the value "EnableNetworkProtection" is REG_DWORD = 1, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>WNDF-AV-000040Windows Defender AV must be configured for automatic remediation action to be taken for threat alert level High.<VulnDiscussion>This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = Severe Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" to "Enabled". Select the “Show…” option box and enter "4” in the ‘Value name’ field and enter “2" in the ‘Value’ field. Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled". Click the “Show…” box option and verify the ‘Value name’ field contains a value of “4” and the ‘Value’ field contains a “2". A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - -Criteria: If the value "4" is REG_SZ = 2 (or 3), this is not a finding. SRG-APP-000207<GroupDescription></GroupDescription>WNDF-AV-000041Windows Defender AV must be configured for automatic remediation action to be taken for threat alert level Medium.<VulnDiscussion>This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = Severe Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" to "Enabled". Select the “Show…” option box and enter "2” in the ‘Value name’ field and enter “2" in the ‘Value’ field.Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled". Click the “Show…” box option and verify the ‘Value name’ field contains a value of “2” and the ‘Value’ field contains a “2". A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - -Criteria: If the value "2" is REG_SZ = 2 (or 3), this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>WNDF-AV-000042Windows Defender AV must be configured for automatic remediation action to be taken for threat alert level Low.<VulnDiscussion>This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = Severe Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Defender AntivirusDISADPMS TargetWindows Defender Antivirus3249CCI-001662Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" to "Enabled". Select the “Show…” option box and enter "1” in the ‘Value name’ field and enter “2" in the ‘Value’ field.Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Antivirus -> Threats -> "Specify threat alert levels at which default action should not be taken when detected" is set to "Enabled". Click the “Show…” box option and verify the ‘Value name’ field contains a value of “1” and the ‘Value’ field contains a “2". A value of “3” in the ‘Value’ field is more restrictive and also an acceptable value. - -Procedure: Use the Windows Registry Editor to navigate to the following key: -HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction - -Criteria: If the value "1" is REG_SZ = 2 (or 3), this is not a finding. diff --git a/source/StigData/Archive/Windows.Defender/U_MS_Windows_Defender_Antivirus_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/Windows.Defender/U_MS_Windows_Defender_Antivirus_STIG_V2R1_Manual-xccdf.log new file mode 100644 index 000000000..2911a479b --- /dev/null +++ b/source/StigData/Archive/Windows.Defender/U_MS_Windows_Defender_Antivirus_STIG_V2R1_Manual-xccdf.log @@ -0,0 +1,9 @@ +V-213426::If the value "PUAProtection" does not exist, this is a finding.::"" +V-213450::Values of 0x0 through 0x7 are acceptable and not a finding.::Values of 0 through 7 are acceptable and not a finding. +V-213434::REG_DWORD = 2 or REG_DWORD = 1::REG_DWORD = 2(or 1) +V-213428::For Windows Server 2016/Windows Server 2019:::blank1 +V-213428::Note: This only applies when a third-party antivirus solution is enforced on the system.::blank2 +V-213428::Due to changes from Microsoft in the Server 2016/Server 2019 architecture, Windows Defender Antivirus will not disable itself when other antivirus products are detected. Microsoft has also removed API's for other Antivirus software to cleanly stop and disable Windows Defender AV. This was a design choice by Microsoft to maximize protection in Server 2016/Server 2019.::blank3 +V-213428::If there is a third-party antivirus product enforced on the system, the Windows Defender Antivirus must be uninstalled.::blank4 +V-213428::Procedure: Access Add Roles and Features Wizard >> Features::blank5 +V-213428::Criteria: If “Windows Defender Features (Installed) is selected, this is a finding.::blank6 diff --git a/source/StigData/Archive/Windows.Defender/U_MS_Windows_Defender_Antivirus_STIG_V2R1_Manual-xccdf.xml b/source/StigData/Archive/Windows.Defender/U_MS_Windows_Defender_Antivirus_STIG_V2R1_Manual-xccdf.xml new file mode 100644 index 000000000..73d6813de --- /dev/null +++ b/source/StigData/Archive/Windows.Defender/U_MS_Windows_Defender_Antivirus_STIG_V2R1_Manual-xccdf.xml @@ -0,0 +1,366 @@ +acceptedMicrosoft Windows Defender Antivirus Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 13 Nov 20203.1.1.362251.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>WN12-00-000001Server systems must be located in a controlled access area, accessible only to authorized personnel.<VulnDiscussion>Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security is the first line of protection of any system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1070SV-52838CCI-000366Ensure servers are located in secure, access-controlled areas.Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000004Users with administrative privilege must be documented.<VulnDiscussion>Administrative accounts may perform any action on a system. Users with administrative accounts must be documented to ensure those with this level of access are clearly identified.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51575V-36658CCI-000366Create the necessary documentation that identifies the members of the Administrators group.Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000005Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.<VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51576V-36659CCI-000366Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000006Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.<VulnDiscussion>If SAs are assigned to systems running operating systems for which they have no training, these systems are at additional risk of unintentional misconfiguration that may result in vulnerabilities or decreased availability of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51577V-36666CCI-000366Establish site policy that requires SAs be trained for all operating systems running on systems under their control.Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000007Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The password for the built-in Administrator account must be changed at least annually or when any member of the administrative team leaves the organization. + +Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52942V-14225CCI-000366Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization. More frequent changes are recommended. + +Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.Review the password last set date for the built-in Administrator account. + +Domain controllers: + +Open "Windows PowerShell". + +Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet". + +If the "PasswordLastSet" date is greater than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Windows PowerShell" or "Command Prompt". + +Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. + +(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) + +If the "PasswordLastSet" date is greater than one year old, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000008Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.<VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. + +Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy requires administrative accounts to not access the Internet or use applications, such as email. + +The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Technical means such as application whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51578V-36451CCI-000366Establish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. + +The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. + +If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000009-01Members of the Backup Operators group must be documented.<VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Visibility of members of the Backup Operators group must be maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1168SV-52156CCI-000366Create the necessary documentation that identifies the members of the Backup Operators group.If no accounts are members of the Backup Operators group, this is NA. + +Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000009-02Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.<VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52157V-40198CCI-000366Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.If no accounts are members of the Backup Operators group, this is NA. + +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>WN12-00-000010Policy must require application account passwords be at least 15 characters in length.<VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36661SV-51579CCI-000205Establish a site policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced.Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000011Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.<VulnDiscussion>Setting application accounts to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51580V-36662CCI-000366Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. + +It is recommended that system-managed service accounts be used where possible.Determine if manually managed application/service accounts exist. If none exist, this is NA. + +If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. + +Identify manually managed application/service accounts. + +To determine the date a password was last changed: + +Domain controllers: + +Open "Windows PowerShell". + +Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. + +If the "PasswordLastSet" date is more than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Windows PowerShell" or "Command Prompt". + +Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. + +If the "Password Last Set" date is more than one year old, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>WN12-00-000012Shared user accounts must not be permitted on the system.<VulnDiscussion>Shared accounts (accounts where two or more people log in with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1072SV-52839CCI-000764Remove unapproved shared accounts from the system. + +Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.Determine whether any shared accounts exist. If no shared accounts exist, this is NA. + +Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. + +If unapproved shared accounts exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000013Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.<VulnDiscussion>Security configuration tools such as Group Policies and Security Templates allow system administrators to consolidate security-related system settings into a single configuration file. These settings can then be applied consistently to any number of Windows machines.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52859V-1128CCI-000366Implement a process using security configuration tools or the equivalent to configure Windows systems to meet security requirements.Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. + +Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. + +If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000014System-level information must be backed up in accordance with local recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + +System-level information includes system-state information, operating system and application software, and licenses. + +Backups must be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52841V-1076CCI-000366Implement system-level information backups in accordance with local recovery time and recovery point objectives.Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>WN12-00-000015User-level information must be backed up in accordance with local recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + +User-level information is data generated by information system and/or application users. + +Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51581V-36733CCI-000366Implement user-level information backups in accordance with local recovery time and recovery point objectives.Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>WN12-00-000016Backups of system-level information must be protected.<VulnDiscussion>A system backup will usually include sensitive information such as user accounts that could be used in an attack. As a valuable system resource, the system backup must be protected and stored in a physically secure location.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52130V-40172CCI-000366Ensure system-level information backups are stored in a secure location and protected from destruction.Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>WN12-00-000017System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. + +Information system and security-related documentation contains information pertaining to system configuration and security settings. + +Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-40173SV-52131CCI-000366Back up system-related documentation in accordance with local recovery time and recovery point objectives.Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.SRG-OS-000370-GPOS-00155<GroupDescription></GroupDescription>WN12-00-000018The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. + +The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-57637SV-72047CCI-001774Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server 2012. + +If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: + +https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmThis is applicable to unclassified systems; for other systems this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: +Open PowerShell. + +If the AppLocker PowerShell module has not been previously imported, execute the following first: +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml + +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: + +https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmSRG-OS-000425-GPOS-00189<GroupDescription></GroupDescription>WN12-00-000019Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. + +Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption. + +Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPSEC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-57641SV-72051CCI-002420CCI-002422Configure protection methods such as TLS, encrypted VPNs, or IPSEC when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process to maintain the confidentiality and integrity.If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>WN12-00-000020Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.<VulnDiscussion>This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-72055V-57645CCI-001199CCI-002475CCI-002476Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000100The Windows 2012 / 2012 R2 system must use an anti-virus program.<VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52103V-1074CCI-000366Install an anti-virus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. + +If there is no anti-virus solution installed on the system, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-00-000160The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. + +Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-88471V-73805CCI-000381Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter the following: +Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol + +Alternately: +Search for "Features". +Select "Turn Windows features on or off". +De-select "SMB 1.0/CIFS File Sharing Support". + +The system must be restarted for the changes to take effect.This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements). + +Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter the following: +Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol + +If "State : Enabled" is returned, this is a finding. + +Alternately: +Search for "Features". +Select "Turn Windows features on or off". + +If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-00-000170The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. + +Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-88193V-73519CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". + +The system must be restarted for the change to take effect. + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. + +Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-00-000180The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. + +Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-73523SV-88205CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". + +Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client (extra setting needed for pre-Win8.1/2012R2)" to "Enabled" with the following three lines of text entered for "Configure LanmanWorkstation Dependencies": +Bowser +MRxSmb20 +NSI + +The system must be restarted for the changes to take effect. + +These policy settings requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. + +Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. + +If the following registry value is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ + +Value Name: Start + +Type: REG_DWORD +Value: 0x00000004 (4) + +If the following registry value includes MRxSmb10, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ + +Value Name: DependOnService + +Type: REG_MULTI_SZ +Value: Default values after removing MRxSmb10 include the following, which are not a finding: +Bowser +MRxSmb20 +NSISRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000190Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.<VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-75915SV-90603CCI-000366Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.Review the effective User Rights setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) + +If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-00-000200Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.<VulnDiscussion>Later versions of Windows PowerShell provide additional security and advanced logging features that can provide greater detail when malware has been run on a system. PowerShell 5.x includes the advanced logging features. PowerShell 4.0 with the addition of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 adds advanced logging features. + +PowerShell is updated with the installation of the corresponding version of the Windows Management Framework (WMF). + +Updating to a later PowerShell version may have compatibility issues with some applications. The following links should be reviewed and updates tested before applying to a production environment. + +WMF 4.0: +Review the System Requirements under the download link - https://www.microsoft.com/en-us/download/details.aspx?id=40855 + +WMF 5.0: +https://docs.microsoft.com/en-us/powershell/wmf/5.0/productincompat + +WMF 5.1: +https://docs.microsoft.com/en-us/powershell/wmf/5.1/productincompat</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-80473SV-95179CCI-000366Update Windows PowerShell to version 4.0 or 5.x. + +Windows 2012 R2 includes PowerShell 4.0 by default. It may be updated with the installation of Windows Management Framework (WMF) 5.0 or 5.1. + +Windows 2012 requires the installation of Windows Management Framework (WMF) 4.0, 5.0, or 5.1. + +Updating to a later PowerShell version may have compatibility issues with some applications. The following links should be reviewed and updates tested before applying to a production environment. + +WMF 4.0: +Review the System Requirements under the download link - https://www.microsoft.com/en-us/download/details.aspx?id=40855 + +WMF 5.0: +https://docs.microsoft.com/en-us/powershell/wmf/5.0/productincompat + +WMF 5.1: +https://docs.microsoft.com/en-us/powershell/wmf/5.1/productincompatOpen "Windows PowerShell". + +Enter "$PSVersionTable". + +If the value for "PSVersion" is not 4.0 or 5.x, this is a finding. + +Windows 2012 R2 includes PowerShell 4.0 by default. Windows 2012 must be updated. If PowerShell 4.0 is used, the required patch for script block logging will be verified with the requirement to have that enabled.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>WN12-00-000210PowerShell script block logging must be enabled on Windows 2012/2012 R2.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system. + +PowerShell 5.x supports script block logging. PowerShell 4.0 with the addition of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 adds support for script block logging. + +Satisfies: SRG-OS-000042-GPOS-00021</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-95183V-80475CCI-000135Configure the following registry value as specified. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ + +Value Name: EnableScriptBlockLogging + +Value Type: REG_DWORD +Value: 0x00000001 (1) + +Administrative templates from later versions of Windows include a group policy setting for this. Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". + +Install patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 on systems with PowerShell 4.0. + +PowerShell 5.x does not require the installation of an additional patch.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ + +Value Name: EnableScriptBlockLogging + +Value Type: REG_DWORD +Value: 0x00000001 (1) + +PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. + +If the patch is not installed on systems with PowerShell 4.0, this is a finding. + +PowerShell 5.x does not require the installation of an additional patch.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-00-000220Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.<VulnDiscussion>Windows PowerShell versions 4.0 (with a patch) and 5.x add advanced logging features that can provide additional detail when malware has been run on a system. Ensuring Windows PowerShell 2.0 is not installed as well mitigates against a downgrade attack that evades the advanced logging features of later Windows PowerShell versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-95185V-80477CCI-000381Windows PowerShell 2.0 is not installed by default. + +Uninstall it if it has been installed. + +Open "Windows PowerShell". + +Enter "Uninstall-WindowsFeature -Name PowerShell-v2". + +Alternately: + +Use the "Remove Roles and Features Wizard" and deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell".Windows PowerShell 2.0 is not installed by default. + +Open "Windows PowerShell". + +Enter "Get-WindowsFeature -Name PowerShell-v2". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>WN12-AC-000001Windows 2012 account lockout duration must be configured to 15 minutes or greater.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52850V-1099CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. + +A value of "0" is also acceptable, requiring an administrator to unlock the account.Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. + +Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>WN12-AC-000002The number of allowed bad logon attempts must meet minimum requirements.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52848V-1097CCI-000044Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> "Account lockout threshold" to "3" or less invalid logon attempts (excluding "0" which is unacceptable).Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. + +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>WN12-AC-000003The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1098SV-52849CCI-000044CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>WN12-AC-000004The password history must be configured to 24 passwords remembered.<VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1107SV-52853CCI-000200Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>WN12-AC-000005The maximum password age must meet requirements.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52851V-1104CCI-000199Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Maximum password age" to "60" days or less (excluding "0" which is unacceptable).Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>WN12-AC-000006The minimum password age must meet requirements.<VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1105SV-52852CCI-000198Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password age" to at least "1" day.Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>WN12-AC-000007Passwords must, at a minimum, be 14 characters.<VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52938V-6836CCI-000205Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password length" to "14" characters.Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for the "Minimum password length," is less than "14" characters, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>WN12-AC-000008The built-in Windows password complexity policy must be enabled.<VulnDiscussion>The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least 3 of the 4 types of characters (numbers, upper- and lower-case letters, and special characters), as well as preventing the inclusion of user names or parts of.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52863V-1150CCI-000192CCI-000193CCI-000194CCI-001619Configure the policy value for Computer Configuration >> Windows Settings -> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + +Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>WN12-AC-000009Reversible password encryption must be disabled.<VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52880V-2372CCI-000196Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Store password using reversible encryption" to "Disabled".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. + +If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AC-000010-DCKerberos user logon restrictions must be enforced.<VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default which is the most secure setting for validating access to target resources is not circumvented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51160V-2376CCI-000366Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Enforce user logon restrictions" to "Enabled".Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AC-000011-DCThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.<VulnDiscussion>This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-2377SV-51162CCI-000366Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for service ticket" to a maximum of 600 minutes, but not 0 which equates to "Ticket doesn't expire".Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the value for "Maximum lifetime for service ticket" is 0 or greater than 600 minutes, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AC-000012-DCThe Kerberos user ticket lifetime must be limited to 10 hours or less.<VulnDiscussion>In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that startup under a specified user account, users must always get a TGT first, then get Service Tickets to all computers and services accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51164V-2378CCI-000366Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket" to a maximum of 10 hours, but not 0 which equates to "Ticket doesn't expire".Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the value for "Maximum lifetime for user ticket" is 0 or greater than 10 hours, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AC-000013-DCThe Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.<VulnDiscussion>This setting determines the period of time (in days) during which a user's TGT may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-2379SV-51166CCI-000366Configure the policy value in the Default Domain Policy for Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket renewal" to a maximum of 7 days or less.Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Maximum lifetime for user ticket renewal" is greater than 7 days, this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>WN12-AC-000014-DCThe computer clock synchronization tolerance must be limited to 5 minutes or less.<VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51168V-2380CCI-001941CCI-001942Configure the policy value in the Default Domain Policy for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum tolerance for computer clock synchronization" to a maximum of 5 minutes or less.Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain). +Right click on the "Default Domain Policy". +Select Edit. +Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy. + +If the "Maximum tolerance for computer clock synchronization" is greater than 5 minutes, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-AD-000001-DCActive Directory data files must have proper access control permissions.<VulnDiscussion>Improper access permissions for directory data related files could allow unauthorized users to read, modify, or delete directory data or audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51175V-8316CCI-002235Ensure the permissions on NTDS database and log files are at least as restrictive as the following: +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) + +(I) - permission inherited from parent container +(F) - full accessVerify the permissions on the content of the NTDS directory. + +Open the registry editor (regedit). +Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. +Note the directory locations in the values for: +Database log files path +DSA Database file + +By default they will be \Windows\NTDS. If the locations are different, the following will need to be run for each. + +Open an elevated command prompt (Win+x, Command Prompt (Admin)). +Navigate to the NTDS directory (\Windows\NTDS by default). +Run "icacls *.*". + +If the permissions on each file are not at least as restrictive as the following, this is a finding. + +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) + +(I) - permission inherited from parent container +(F) - full access + +Do not use File Explorer to attempt to view permissions of the NTDS folder. Accessing the folder through File Explorer will change the permissions on the folder.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-AD-000002-DCThe Active Directory SYSVOL directory must have the proper access control permissions.<VulnDiscussion>Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. + +The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Data in shared subdirectories are replicated to all domain controllers in a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-39331SV-51176CCI-002235Ensure the permissions on SYSVOL directory do not allow greater than read & execute for standard user accounts or groups. The defaults below meet this requirement. + +Type - Allow +Principal - Authenticated Users +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Server Operators +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Administrators +Access - Special +Inherited from - None +Applies to - This folder only +(Access - Special - Basic Permissions: all selected except Full control) + +Type - Allow +Principal - CREATOR OWNER +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - Administrators +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - SYSTEM +Access - Full control +Inherited from - None +Applies to - This folder, subfolders and filesVerify the permissions on the SYSVOL directory. + +Open a command prompt. +Run "net share". +Make note of the directory location of the SYSVOL share. + +By default this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. + +Open File Explorer. +Navigate to \Windows\SYSVOL (or the directory noted previously if different). +Right click the directory and select properties. +Select the Security tab. +Click Advanced. + +If any standard user accounts or groups have greater than read & execute permissions, this is a finding. The default permissions noted below meet this requirement. + +Type - Allow +Principal - Authenticated Users +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Server Operators +Access - Read & execute +Inherited from - None +Applies to - This folder, subfolder and files + +Type - Allow +Principal - Administrators +Access - Special +Inherited from - None +Applies to - This folder only +(Access - Special - Basic Permissions: all selected except Full control) + +Type - Allow +Principal - CREATOR OWNER +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - Administrators +Access - Full control +Inherited from - None +Applies to - Subfolders and files only + +Type - Allow +Principal - SYSTEM +Access - Full control +Inherited from - None +Applies to - This folder, subfolders and files + + +Alternately, use Icacls.exe to view the permissions of the SYSVOL directory. +Open a command prompt. +Run "icacls c:\Windows\SYSVOL +The following results should be displayed: + +NT AUTHORITY\Authenticated Users:(RX) +NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) +BUILTIN\Server Operators:(RX) +BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) +BUILTIN\Administrators:(M,WDAC,WO) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(F) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M,WDAC,WO) +CREATOR OWNER:(OI)(CI)(IO)(F) + +(RX) - Read & execute +Run "icacls /help" to view definitions of other permission codes.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-AD-000003-DCActive Directory Group Policy objects must have proper access control permissions.<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. + +For Active Directory (AD), the Group Policy objects require special attention. In a distributed administration model (i.e., help desk), Group Policy objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy Objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51177V-33673CCI-002235Ensure the permissions on Group Policy objects do not allow greater than Read and Apply group policy for standard user accounts or groups. The default permissions below meet this requirement. + +Authenticated Users - Read, Apply group policy, Special permissions +The Special permissions for Authenticated Users are for Read type Properties. + +CREATOR OWNER - Special permissions + +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +Document any other access permissions that allow the objects to be updated with the ISSO. + +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects.Verify the permissions on Group Policy objects. + +Open "Group Policy Management". (Available from various menus or run "gpmc.msc".) +Navigate to "Group Policy Objects" in the domain being reviewed (Forest > Domains > Domain). + +For each Group Policy object: +Select the Group Policy object item in the left pane. +Select the Delegation tab in the right pane. +Select the Advanced button. + +If any standard user accounts or groups have greater than Allow permissions of Read and Apply group policy, this is a finding. + +Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. + +The default permissions noted below meet this requirement. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry, and the Edit button. + +Authenticated Users - Read, Apply group policy, Special permissions + +The Special permissions for Authenticated Users are for Read type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +The Special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. + +CREATOR OWNER - Special permissions + +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default group policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created group policy objects. + +The Anonymous Logon, Guests, or any group that contains those groups (in which users are not uniquely identified and authenticated) must not have any access permissions unless the group and justification is explicitly documented with the ISSO.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-AD-000004-DCThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.<VulnDiscussion>When Active Directory (AD) objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + +The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain. Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes which could lead to the compromise of the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51178V-39332CCI-002235Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. + +The default permissions listed below satisfy this requirement. + +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. + +SELF - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissionsVerify the permissions on the Domain Controllers OU. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) + +Select Advanced Features in the View menu if not previously selected. + +Navigate to the Domain Controllers OU (folder in folder icon). + +Right click the OU and select Properties. + +Select the Security tab. + +If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. + +The default permissions listed below satisfy this requirement. + +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the Advanced button, selecting the desired Permission entry, and the Edit button. + +SELF - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissionsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-AD-000005-DCDomain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + +For Active Directory (AD), the Organizational Unit (OU) objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a Denial of Service to authorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51179V-39333CCI-002235Ensure the permissions on domain defined OUs are at least as restrictive as the defaults below. + +Document any additional permissions above read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. + +Self - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissionsVerifying the permissions on domain defined OUs. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. + +For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: +Right click the OU and select Properties. +Select the Security tab. + +If the permissions on the OU are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next Advanced button, selecting the desired Permission entry and the Edit button. + +Self - Special permissions + +Authenticated Users - Read, Special permissions +The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions +The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-AD-000006-DCData files owned by users must be on a different logical partition from the directory server data files.<VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + +The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51180V-8317CCI-001082Ensure files owned by users are stored on a different logical partition then the directory server data files.Refer to the AD database location obtained in check V-8316. Note the logical drive (e.g., C:) on which the files are located. + +Determine if the server is currently providing file sharing services to users with the following command. +Enter "net share" at a command prompt. + +Note the logical drive(s) or file system partition for any site-created data shares. +Ignore all system shares (e.g., Windows NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. + +If user shares are located on the same logical partition as the directory server data files, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>WN12-AD-000007-DCTime synchronization must be enabled on the domain controller.<VulnDiscussion>When a directory service using multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly. + +The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a source of forensic evidence in an incident investigation. + +In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-8322SV-51181CCI-001891Ensure the Windows Time Service is configured as follows or install and enable another time synchronization tool. + +Registry Hive: HKEY_LOCAL_MACHINE + +Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ +Value Name: Enabled +Type: REG_DWORD +Value: 1 + +Registry Path: \System\CurrentControlSet\Services\W32Time\ Parameters\ +Value Name: Type +Type: REG_SZ +Value: NT5DS (preferred), NTP or AllsyncDetermine if a time synchronization tool has been implemented on the Windows domain controller. + +If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE + +Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ +Value Name: Enabled +Type: REG_DWORD +Value: 1 + +Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\ +Value Name: Type +Type: REG_SZ +Value: NT5DS (preferred), NTP or Allsync + +If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled. + +If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AD-000008-DCThe time synchronization tool must be configured to enable logging of time source switching.<VulnDiscussion>When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or impossible to detect malicious activity or availability problems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-8324SV-51182CCI-000366Configure the time synchronization tool to log time source switching. If the Windows Time Service is used, configure the following registry value. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ + +Value Name: EventLogFlags + +Type: REG_DWORD +Value: 2 or 3Verify logging is configured to capture time source switches. + +If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ + +Value Name: EventLogFlags + +Type: REG_DWORD +Value: 2 or 3 + +If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-AD-000009-DCThe directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.<VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts increasing the attack surface of the computer. + +Some applications require the addition of privileged accounts providing potential sources of compromise. Some applications (such as MS Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-8326SV-51183CCI-001082Remove additional roles or applications such as web, database, and email from the domain controller.Review the roles and services the domain controller is running. +Run "services.msc" to display the Services console. + +Determine if any running services are application components. + +Examples of services indicating the presence of applications are: +-DHCP Server for DHCP server +-IIS Admin Service for IIS web server +-Microsoft Exchange System Attendant for Exchange +-MSSQLServer for SQL Server. + +If any application-related components have the "Started" status, this is a finding. + +Installed roles can be displayed by viewing Server Roles in the Add (or Remove) Roles and Features wizard. (Cancel before any changes are made.) + +Determine if any additional server roles are installed. A basic domain controller set up will include the following: +-Active Directory Domain Services +-DNS Server +-File and Storage Services + +If any roles not requiring installation on a domain controller are installed, this is a finding. + +Supplemental Notes: +A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. + +Some directory servers utilize specialized web servers for administrative functions and databases for data management. These web and database servers are permitted as long as they are dedicated to directory server support and only administrative users have access to them.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AD-000010-DCWindows services that are critical for directory server operation must be configured for automatic startup.<VulnDiscussion>Active Directory (AD) is dependent on several Windows services. If one or more of these services is not configured for automatic startup, AD functions may be partially or completely unavailable until the services are manually started. This could result in a failure to replicate data or to support client authentication and authorization requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-8327SV-51184CCI-000366Ensure the following services that are critical for directory server operation are configured for automatic startup. + +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically)Run "services.msc" to display the Services console. + +Verify the Startup Type for the following Windows services: +- Active Directory Domain Services +- DFS Replication +- DNS Client +- DNS server +- Group Policy Client +- Intersite Messaging +- Kerberos Key Distribution Center +- NetLogon +- Windows Time (not required if another time synchronization tool is implemented to start automatically) + +If the Startup Type for any of these services is not Automatic, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>WN12-AD-000011-DCSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data<VulnDiscussion>Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51185V-14783CCI-002450Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfers replication data through a network cleared to a lower level than the data.With the assistance of the SA, NSO, or network reviewer as required, review the site network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. + +Determine the classification level of the Windows domain controller. + +If the classification level of the Windows domain controller is higher than the level of the networks, review the site network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. + +If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AD-000012-DCAnonymous access to the root DSE of a non-public directory must be disabled.<VulnDiscussion>Allowing anonymous access to the root DSE data on a directory server provides potential attackers with a number of details about the configuration and data contents of a directory. For example, the namingContexts attribute indicates the directory space contained in the directory; the supportedLDAPVersion attribute indicates which versions of the LDAP protocol the server supports; and the supportedSASLMechanisms attribute indicates the names of supported authentication mechanisms. An attacker with this information may be able to select more precisely targeted attack tools or higher value targets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14797SV-51186CCI-000366Implement network protections to reduce the risk of anonymous access. + +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. + +Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.At this time, this is a finding for all Windows domain controllers for sensitive or classified levels as Windows Active Directory Domain Services (AD DS) does not provide a method to restrict anonymous access to the root DSE on domain controllers. + +The following can be used to verify anonymous access is allowed. + +Open a command prompt (not elevated). +Run "ldp.exe". +From the Connection menu, select Bind. +Clear the User, Password, and Domain fields. +Select Simple bind for the Bind type, Click OK. + +RootDSE attributes should display, such as various namingContexts. + +Confirmation of anonymous access will be displayed at the end: +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON'SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-AD-000013-DCDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.<VulnDiscussion>To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as, network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51187V-14798CCI-000366Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. + +For AD, there are multiple configuration items that could enable anonymous access. + +Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). + +The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.Verify anonymous access is not allowed to the AD domain naming context. + +Open a command prompt (not elevated). +Run "ldp.exe". +From the Connection menu, select Bind. +Clear the User, Password, and Domain fields. +Select Simple bind for the Bind type, Click OK. + +Confirmation of anonymous access will be displayed at the end: +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + +From the Browse menu, select Search. +In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. +Clear the Attributes field and select Run. + +Error messages should display related to bind and user not authenticated. + +If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>WN12-AD-000014-DCThe directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.<VulnDiscussion>The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14831SV-51188CCI-001133Configure the directory service to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity. + +Open an elevated command prompt. +Enter "ntdsutil". +At the "ntdsutil:" prompt, enter "LDAP policies". +At the "ldap policy:" prompt, enter "connections". +At the "server connections:" prompt, enter "connect to server [host-name]". +(Where [host-name] is the computer name of the domain controller.) +At the "server connections:" prompt, enter "q". +At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". +Enter "Commit Changes" to save. +Enter "Show values" to verify changes. +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.Verify the value for MaxConnIdleTime. + +Open an elevated command prompt. +Enter "ntdsutil". +At the "ntdsutil:" prompt, enter "LDAP policies". +At the "ldap policy:" prompt, enter "connections". +At the "server connections:" prompt, enter "connect to server [host-name]". +(Where [host-name] is the computer name of the domain controller.) +At the "server connections:" prompt, enter "q". +At the "ldap policy:" prompt, enter "show values". + +If the value for MaxConnIdleTime is greater than 300 (the value for five minutes) or it is not specified, this is a finding. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. + + +Alternately, Dsquery can be used to display MaxConnIdleTime: + +Open an elevated command prompt. +Enter the following command (on a single line). +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil).SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>WN12-AD-000015-DCThe password for the krbtgt account on a domain must be reset at least every 180 days.<VulnDiscussion>The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not changed. If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT). + +The password must be changed twice to effectively remove the password history.Changing once, waiting for replication to complete and the amount of time equal to or greater than the maximum Kerberos ticket lifetime, and changing again reduces the risk of issues. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-101879V-91777CCI-000366Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. + +PowerShell scripts are available to accomplish this such as at the following link: +https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Select "Advanced Features" in the "View" menu if not previously selected. + +Select the "Users" node. + +Right click on the krbtgt account and select "Reset password". + +Enter a password that meets password complexity requirements. + +Clear the "User must change password at next logon" check box. + +The system will automatically change this to a system generated complex password.This requirement is applicable to domain controllers; it is NA for other systems. + +Open "Windows PowerShell". + +Enter "Get-ADUser krbtgt -Property PasswordLastSet". + +If the "PasswordLastSet" date is more than 180 days old, this is a finding.SRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000001The system must be configured to audit Account Logon - Credential Validation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53013V-26529CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> "Audit Credential Validation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000002The system must be configured to audit Account Logon - Credential Validation failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26530SV-53011CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> "Audit Credential Validation" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Logon -> Credential Validation - FailureSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000011-DCWindows Server 2012/2012 R2 domain controllers must be configured to audit Account Management - Computer Account Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Computer Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling computer accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26531SV-52234CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management >> Computer Account Management - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000015The system must be configured to audit Account Management - Other Account Management Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26533SV-53009CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Other Account Management Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Other Account Management Events - SuccessSRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN12-AU-000017The system must be configured to audit Account Management - Security Group Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26535SV-53007CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Security Group Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> Security Group Management - SuccessSRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN12-AU-000019The system must be configured to audit Account Management - User Account Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53003V-26537CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit User Account Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - SuccessSRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN12-AU-000020The system must be configured to audit Account Management - User Account Management failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53001V-26538CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit User Account Management" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Account Management -> User Account Management - FailureSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000023The system must be configured to audit Detailed Tracking - Process Creation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Process Creation records events related to the creation of a process and the source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52999V-26539CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> "Audit Process Creation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Detailed Tracking -> Process Creation - SuccessSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000030Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Account Lockout events can be used to identify potentially malicious logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-92765V-78057CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - SuccessSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000031Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Account Lockout events can be used to identify potentially malicious logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-92769V-78059CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - FailureSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000031-DCThe system must be configured to audit DS Access - Directory Service Access successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit directory service access records events related to users accessing an Active Directory object.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51151V-33663CCI-000172CCI-002234Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Access" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Access - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000032-DCThe system must be configured to audit DS Access - Directory Service Access failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit directory service access records events related to users accessing an Active Directory object.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51152V-33664CCI-000172CCI-002234Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Access" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Access - FailureSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000035-DCThe system must be configured to audit DS Access - Directory Service Changes successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit directory service changes records events related to changes made to objects in Active Directory Domain Services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51153V-33665CCI-000172CCI-002234Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Changes" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Changes - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000036-DCThe system must be configured to audit DS Access - Directory Service Changes failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit directory service changes records events related to changes made to objects in Active Directory Domain Services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51155V-33666CCI-000172CCI-002234Detailed auditing subcategories are configured in Security Settings -> Advanced Audit Policy Configuration. The summary level settings under Security Settings -> Local Policies -> Audit Policy will not be enforced (see V-14230). + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> DS Access -> "Directory Service Changes" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the Auditpol settings with the following. If the system does not audit the following, this is a finding. + +DS Access -> Directory Service Changes - FailureSRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>WN12-AU-000045The system must be configured to audit Logon/Logoff - Logoff successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26540SV-52996CCI-000067CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logoff" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logoff - SuccessSRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>WN12-AU-000047The system must be configured to audit Logon/Logoff - Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52994V-26541CCI-000067CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - SuccessSRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>WN12-AU-000048The system must be configured to audit Logon/Logoff - Logon failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26542SV-52993CCI-000067CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Logon - FailureSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000053The system must be configured to audit Logon/Logoff - Special Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Special Logon records special logons which have administrative privileges and can be used to elevate processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52987V-26543CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Special Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff -> Special Logon - SuccessSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000059The system must be configured to audit Object Access - Central Access Policy Staging successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Central Access Policy Staging auditing under Object Access is used to enable the recording of events related to differences in permissions between central access policies and proposed policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52161V-40202CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> "Audit Central Access Policy Staging" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - SuccessSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000060The system must be configured to audit Object Access - Central Access Policy Staging failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Central Access Policy Staging auditing under Object Access is used to enable the recording of events related to differences in permissions between central access policies and proposed policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-40200SV-52159CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> "Audit Central Access Policy Staging" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access -> Central Policy Staging - FailureSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000081The system must be configured to audit Object Access - Removable Storage successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51601V-36668CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.SRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000082The system must be configured to audit Object Access - Removable Storage failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36667SV-51604CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Failure + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.SRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000085The system must be configured to audit Policy Change - Audit Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52983V-26546CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000086The system must be configured to audit Policy Change - Audit Policy Change failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52982V-26547CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Audit Policy Change - FailureSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000087The system must be configured to audit Policy Change - Authentication Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26548SV-52981CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Authentication Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authentication Policy Change - SuccessSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000089The system must be configured to audit Policy Change - Authorization Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Authorization Policy Change records events related to changes in user rights, such as Create a token object.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-57633SV-72043CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Authorization Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Policy Change -> Authorization Policy Change - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000101The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26549SV-52980CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000102The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26550SV-52979CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Privilege Use -> Sensitive Privilege Use - FailureSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000103The system must be configured to audit System - IPsec Driver successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +IPsec Driver records events related to the IPSec Driver such as dropped packets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26551SV-52978CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit IPsec Driver" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - SuccessSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN12-AU-000104The system must be configured to audit System - IPsec Driver failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +IPsec Driver records events related to the IPsec Driver such as dropped packets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52977V-26552CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit IPsec Driver" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> IPsec Driver - FailureSRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>WN12-AU-000105Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. + +Satisfies: SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-78061SV-92773CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - SuccessSRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>WN12-AU-000106Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. + +Satisfies: SRG-OS-000458-GPOS-00203</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-78063SV-92781CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - FailureSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000107The system must be configured to audit System - Security State Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security State Change records events related to changes in the security state, such as startup and shutdown of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52976V-26553CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security State Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security State Change - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000109The system must be configured to audit System - Security System Extension successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security System Extension records events related to extension code being loaded by the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52974V-26555CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security System Extension" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> Security System Extension - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000111The system must be configured to audit System - System Integrity successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +System Integrity records events related to violations of integrity to the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26557SV-52972CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - SuccessSRG-OS-000471-GPOS-00215<GroupDescription></GroupDescription>WN12-AU-000112The system must be configured to audit System - System Integrity failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +System Integrity records events related to violations of integrity to the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26558SV-52971CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: +-Open a Command Prompt with elevated privileges ("Run as Administrator"). +-Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +System -> System Integrity - FailureSRG-OS-000255-GPOS-00096<GroupDescription></GroupDescription>WN12-AU-000200Audit data must be reviewed on a regular basis.<VulnDiscussion>To be of value, audit logs from critical systems must be reviewed on a regular basis. Critical systems should be reviewed on a daily basis to identify security breaches and potential weaknesses in the security structure. This can be done with the use of monitoring software or other utilities for this purpose.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36670SV-51561CCI-000366Review audit logs on a predetermined scheduled.Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding.SRG-OS-000255-GPOS-00096<GroupDescription></GroupDescription>WN12-AU-000201Audit data must be retained for at least one year.<VulnDiscussion>Audit records are essential for investigating system activity after the fact. Retention periods for audit data are determined based on the sensitivity of the data handled by the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36671SV-51563CCI-000366Ensure the audit data is retained for at least a year.Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>WN12-AU-000203-01Audit records must be backed up onto a different system or media than the system being audited.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36672SV-51566CCI-001851Establish and implement a process for backing up log data to another system or media other than the system being audited.Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>WN12-AU-000203-02The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-72133V-57719CCI-001851Configure the operating system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN12-AU-000204Permissions for the Application event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36722SV-51569CCI-000162CCI-000163CCI-000164Ensure the permissions on the Application event log (Application.evtx) are configured to prevent standard user accounts or groups from having greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. + +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN12-AU-000205Permissions for the Security event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51571V-36723CCI-000162CCI-000163CCI-000164Ensure the permissions on the Security event log (Security.evtx) are configured to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. + +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN12-AU-000206Permissions for the System event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36724SV-51572CCI-000162CCI-000163CCI-000164Ensure the permissions on the System event log (System.evtx) are configured to prevent standard user accounts or groups from having greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. + +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. + +If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.SRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000207-DCActive Directory Group Policy objects must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-39325SV-51169CCI-000172CCI-002234Configure the audit settings for Group Policy objects to include the following. + +This can be done at the Policy level in Active Directory to apply to all group policies. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Select "Advanced Features" from the "View" Menu. + +Navigate to [Domain] >> System >> Policies in the left panel. + +Right click "Policies", select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button. + +Select the "Auditing" tab. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit ObjectsReview the auditing configuration for all Group Policy objects. + +Open "Group Policy Management". (Available from various menus, or run "gpmc.msc".) + +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). + +For each Group Policy object: + +Select the Group Policy Object item in the left pane. + +Select the "Delegation" tab in the right pane. + +Select the "Advanced" button. + +Select the "Advanced" button again and then the "Auditing" tab. + +If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit ObjectsSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000208-DCThe Active Directory Domain object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-39326SV-51170CCI-000172CCI-002234Configure the audit settings for Domain object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.)Verify the auditing configuration for the Domain object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the domain being reviewed in the left pane. +Right click the domain name and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)SRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000209-DCThe Active Directory Infrastructure object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51171V-39327CCI-000172CCI-002234Configure the audit settings for Infrastructure object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)Verify the auditing configuration for Infrastructure object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the domain being reviewed in the left pane. +Right click the Infrastructure object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)SRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000210-DCThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisifes: SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-39328SV-51172CCI-000172CCI-002234Configure the audit settings for Domain Controllers OU object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsVerify the auditing configuration for the Domain Controller OU object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select the Domain Controllers OU under the domain being reviewed in the left pane. +Right click the Domain Controllers OU object and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object and all descendant objects + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000211-DCThe Active Directory AdminSDHolder object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51173V-39329CCI-000172CCI-002234Configure the audit settings for AdminSDHolder object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsVerify the auditing configuration for the AdminSDHolder object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select System under the domain being reviewed in the left pane. +Right click the AdminSDHolder object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the AdminSDHolder object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN12-AU-000212-DCThe Active Directory RID Manager$ object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-39330SV-51174CCI-000172CCI-002234Configure the audit settings for RID Manager$ object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)Verify the auditing configuration for the RID Manager$ object. + +Open "Active Directory Users and Computers". (Available from various menus or run "dsa.msc".) +Ensure Advanced Features is selected in the View menu. +Select System under the domain being reviewed in the left pane. +Right-click the RID Manager$ object in the right pane and select Properties. +Select the Security tab. +Select the Advanced button and then the Auditing tab. + +If the audit settings on the RID Manager$ object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference, various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)SRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>WN12-AU-000213Event Viewer must be protected from unauthorized modification and deletion.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-57721SV-72135CCI-001494CCI-001495Ensure only TrustedInstaller has permissions to change or modify Event Viewer ("%SystemRoot%\SYSTEM32\Eventvwr.exe). + +The default permissions below satisfy this requirement. +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & ExecuteVerify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. + +Navigate to "%SystemRoot%\SYSTEM32". +View the permissions on "Eventvwr.exe". + +The default permissions below satisfy this requirement. +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & ExecuteSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000001The Mapper I/O network protocol (LLTDIO) driver must be disabled.<VulnDiscussion>The Mapper I/O network protocol (LLTDIO) driver allows the discovery of the connected network and allows various options to be enabled. Disabling this helps protect the system from potentially discovering and connecting to unauthorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53072V-15696CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Mapper I/O (LLTDIO) driver" to "Disabled".If the following registry values do not exist or are not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ + +Value Name: AllowLLTDIOOndomain +Value Name: AllowLLTDIOOnPublicNet +Value Name: EnableLLTDIO +Value Name: ProhibitLLTDIOOnPrivateNet + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000002The Responder network protocol driver must be disabled.<VulnDiscussion>The Responder network protocol driver allows a computer to be discovered and located on a network. Disabling this helps protect the system from potentially being discovered and connected to by unauthorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53081V-15697CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Responder (RSPNDR) driver" to "Disabled".If the following registry values do not exist or are not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ + +Value Name: AllowRspndrOndomain +Value Name: AllowRspndrOnPublicNet +Value Name: EnableRspndr +Value Name: ProhibitRspndrOnPrivateNet + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000003Windows Peer-to-Peer networking services must be turned off.<VulnDiscussion>Peer-to-Peer applications can allow unauthorized access to a system and exposure of sensitive data. This setting will turn off the Microsoft Peer-to-Peer Networking Service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53012V-15666CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Microsoft Peer-to-Peer Networking Services -> "Turn off Microsoft Peer-to-Peer Networking Services" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Peernet\ + +Value Name: Disabled + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000004Network Bridges must be prohibited in Windows.<VulnDiscussion>A Network Bridge can connect two or more network segments, allowing unauthorized access or exposure of sensitive data. This setting prevents a Network Bridge from being installed and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15667SV-53014CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Prohibit installation and configuration of Network Bridge on your DNS domain network" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_AllowNetBridge_NLA + +Type: REG_DWORD +Value: 0SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-CC-000005Domain users must be required to elevate when setting a networks location.<VulnDiscussion>Selecting an incorrect network location may allow greater exposure of a system. Elevation is required by default on nondomain systems to change network location. This setting configures elevation to also be required on domain-joined systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53182V-21960CCI-001084Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Require domain users to elevate when setting a network's location" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ + +Value Name: NC_StdDomainUserSetLocation + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000006All Direct Access traffic must be routed through the internal network.<VulnDiscussion>Routing all Direct Access traffic through the internal network allows monitoring and prevents split tunneling.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53183V-21961CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Route all traffic through the internal network" to "Enabled: Enabled State".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Force_Tunneling + +Type: REG_SZ +Value: EnabledSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000007The 6to4 IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52970V-26575CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set 6to4 State" to "Enabled: Disabled State".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: 6to4_State + +Type: REG_SZ +Value: DisabledSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000008The IP-HTTPS IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52969V-26576CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set IP-HTTPS State" to "Enabled: Disabled State". + +Note: "IPHTTPS URL:" must be entered in the policy even if set to Disabled State. Enter "about:blank".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ + +Value Name: IPHTTPS_ClientState + +Type: REG_DWORD +Value: 3SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000009The ISATAP IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26577SV-52968CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set ISATAP State" to "Enabled: Disabled State".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: ISATAP_State + +Type: REG_SZ +Value: DisabledSRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>WN12-CC-000010The Teredo IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52967V-26578CCI-000382Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set Teredo State" to "Enabled: Disabled State".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ + +Value Name: Teredo_State + +Type: REG_SZ +Value: DisabledSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000011IP stateless autoconfiguration limits state must be enabled.<VulnDiscussion>IP stateless autoconfiguration could configure routes that circumvent preferred routes if not limited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51605V-36673CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> Parameters -> "Set IP Stateless Autoconfiguration Limits State" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableIPAutoConfigurationLimits + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000012The configuration of wireless devices using Windows Connect Now must be disabled.<VulnDiscussion>Windows Connect Now allows the discovery and configuration of devices over wireless. Wireless devices must be managed. If a rogue device is connected to a system, there is potential for sensitive information to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15698SV-53085CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Configuration of wireless settings using Windows Connect Now" to "Disabled".If the following registry values do not exist or are not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ + +Value Name: DisableFlashConfigRegistrar +Value Name: DisableInBand802DOT11Registrar +Value Name: DisableUPnPRegistrar +Value Name: DisableWPDRegistrar +Value Name: EnableRegistrars + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000013The Windows Connect Now wizards must be disabled.<VulnDiscussion>Windows Connect Now provides wizards for tasks such as "Set up a wireless router or access point" and must not be available to users. Functions such as these may allow unauthorized connections to a system and the potential for sensitive information to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53089V-15699CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Prohibit access of the Windows Connect Now wizards" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ + +Value Name: DisableWcnUi + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000016Windows Update must be prevented from searching for point and print drivers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting will prevent Windows from searching Windows Update for point and print drivers. Only the local driver store and server driver cache will be searched.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21963SV-53184CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Printers -> "Extend Point and Print connection to search Windows Update" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000018Optional component installation and component repair must be prevented from using Windows Update.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Optional component installation or repair must be obtained from an internal source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36677SV-51606CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> "Specify settings for optional component installation and component repair" to "Enabled" and with "Never attempt to download payload from Windows Update" selected.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ + +Value Name: UseWindowsUpdate + +Type: REG_DWORD +Value: 2SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000019Remote access to the Plug and Play interface must be disabled for device installation.<VulnDiscussion>Remote access to the Plug and Play interface could potentially allow connections by unauthorized devices. This setting configures remote access to the Plug and Play interface and must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15700SV-53094CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Allow remote access to the Plug and Play interface" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: AllowRemoteRPC + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000020An Error Report must not be sent when a generic device driver is installed.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents an error report from being sent when a generic device driver is installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15702SV-53105CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Do not send a Windows error report when a generic driver is installed on a device" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendGenericDriverNotFoundToWER + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000021A system restore point must be created when a new device driver is installed.<VulnDiscussion>A system restore point allows a rollback if an issue is encountered when a new device driver is installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15701SV-53099CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSystemRestore + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000022Device metadata retrieval from the Internet must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting will prevent Windows from retrieving device metadata from the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53185V-21964CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Installation >> "Prevent device metadata retrieval from the Internet" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ + +Value Name: PreventDeviceMetadataFromNetwork + +Value Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000023Windows must be prevented from sending an error report when a device driver requests additional software during installation.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting will prevent Windows from sending an error report to Microsoft when a device driver requests additional software during installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52962V-28504CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Prevent Windows from sending an error report when a device driver requests additional software during installation" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ + +Value Name: DisableSendRequestAdditionalSoftwareToWER + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000024Device driver searches using Windows Update must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting will prevent the system from searching Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53186V-21965CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Specify search order for device driver source locations" to "Enabled: Do not search Windows Update".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: SearchOrderConfig + +Type: REG_DWORD +Value: 0SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000025Device driver updates must only search managed servers, not Windows Update.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Device driver updates must be obtained from an internal source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51607V-36678CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Specify the search server for device driver updates" to "Enabled" with "Search Managed Server" selected.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DriverServerSelection + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000026Users must not be prompted to search Windows Update for device drivers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents users from being prompted to search Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53115V-15703CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Driver Installation -> "Turn off Windows Update device driver search prompt" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontPromptForWindowsUpdate + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000027Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.<VulnDiscussion>Compromised boot drivers can introduce malware prior to some protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51608V-36679CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Early Launch Antimalware -> "Boot-Start Driver Initialization Policy" to "Enabled" with "Good and Unknown" selected.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000028Group Policy objects must be reprocessed even if they have not changed.<VulnDiscussion>Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52933V-4448CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Configure registry policy processing" to "Enabled" and select the option "Process even if the Group Policy objects have not changed".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ + +Value Name: NoGPOListChanges + +Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000029Group Policies must be refreshed in the background if the user is logged on.<VulnDiscussion>If this setting is enabled, then Group Policy settings are not refreshed while a user is currently logged on. This could lead to instances when a user does not have the latest changes to a policy applied and is therefore operating in an insecure context.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3469SV-52906CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Turn off background refresh of Group Policy" to "Disabled".Review the registry. +If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): +If the following registry value exists but is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ + +Value Name: DisableBkGndGroupPolicy + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000030Access to the Windows Store must be turned off.<VulnDiscussion>Uncontrolled installation of applications can introduce various issues, including system instability, and allow access to sensitive information. Installation of applications must be controlled by the enterprise. Turning off access to the Windows Store will limit access to publicly available applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36680SV-51609CCI-000366If the \Windows\WinStore directory exists, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off access to the Store" to "Enabled". + +Alternately, uninstall the "Desktop Experience" feature from Windows 2012. This is located under "User Interfaces and Infrastructure" in the "Add Roles and Features Wizard". The \Windows\WinStore directory may need to be manually deleted after this.The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoUseStoreOpenWith + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000032Downloading print driver packages over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14260SV-52998CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off downloading of print drivers over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableWebPnPDownload + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000033Event Viewer Events.asp links must be turned off.<VulnDiscussion>Viewing events is a function of administrators, who must not access the internet with privileged accounts. This setting will disable Events.asp hyperlinks in Event Viewer to prevent links to the internet from within events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15672SV-53017CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Event Viewer "Events.asp" links" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\EventViewer\ + +Value Name: MicrosoftEventVwrDisableLinks + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000035Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents errors in handwriting recognition on tablet PCs from being reported to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53116V-15704CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off handwriting recognition error reporting" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ + +Value Name: PreventHandwritingErrorReports + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000038The Internet File Association service must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents unhandled file associations from using the Microsoft Web service to find an application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15674SV-53021CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Internet File Association service" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInternetOpenWith + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000039Printing over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52997V-14259CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off printing over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableHTTPPrinting + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000045The Windows Customer Experience Improvement Program must be disabled.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting ensures the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-16020SV-53143CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Windows Customer Experience Improvement Program" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ + +Value Name: CEIPEnable + +Type: REG_DWORD +Value: 0SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000047Windows must be prevented from using Windows Update to search for drivers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents Windows from searching Windows Update for device drivers when no local drivers for a device are present.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53000V-14261CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Windows Update device driver searching" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ + +Value Name: DontSearchWindowsUpdate + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000048Copying of user input methods to the system account for sign-in must be prevented.<VulnDiscussion>Allowing different input methods for sign-in could open different avenues of attack. User input methods must be restricted to those enabled for the system account at sign-in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51610V-36681CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Locale Services -> "Disallow copying of user input methods to the system account for sign-in" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Control Panel\International\ + +Value Name: BlockUserInputMethodsForSignIn + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000051Local users on domain-joined computers must not be enumerated.<VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36684SV-51611CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Enumerate local users on domain-joined computers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: EnumerateLocalUsers + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000052App notifications on the lock screen must be turned off.<VulnDiscussion>App notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36687SV-51612CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Turn off app notifications on the lock screen" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\System\ + +Value Name: DisableLockScreenAppNotifications + +Type: REG_DWORD +Value: 1SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>WN12-CC-000054Users must be prompted to authenticate on resume from sleep (on battery).<VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53131V-15705CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (on battery)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: DCSettingIndex + +Type: REG_DWORD +Value: 1SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>WN12-CC-000055The user must be prompted to authenticate on resume from sleep (plugged in).<VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53132V-15706CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (plugged in)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: ACSettingIndex + +Type: REG_DWORD +Value: 1SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-CC-000058The system must be configured to prevent unsolicited remote assistance offers.<VulnDiscussion>Remote assistance allows another user to view or take control of the local session of a user. Unsolicited remote assistance is help that is offered by the remote user. This may allow unauthorized parties access to the resources on the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52917V-3470CCI-001090Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Offer Remote Assistance" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowUnsolicited + +Type: REG_DWORD +Value: 0SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-CC-000059Solicited Remote Assistance must not be allowed.<VulnDiscussion>Remote assistance allows another user to view or take control of the local session of a user. Solicited assistance is help that is specifically requested by the local user. This may allow unauthorized parties access to the resources on the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3343SV-52885CCI-001090Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Solicited Remote Assistance" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fAllowToGetHelp + +Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000062Remote Assistance log files must be generated.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. This setting will turn on session logging for Remote Assistance connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53133V-15707CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Turn on session logging" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: LoggingEnabled + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000065The detection of compatibility issues for applications and drivers must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this feature will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51737V-36696CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Application Compatibility Diagnostics -> "Detect compatibility issues for applications and drivers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisablePcaUI + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000066Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents the MSDT from communicating with and sending collected data to Microsoft, the default support provider.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53187V-21967CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Microsoft Support Diagnostic Tool -> "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: DisableQueryRemoteServer + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000067Access to Windows Online Troubleshooting Service (WOTS) must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents users from searching troubleshooting content on Microsoft servers. Only local content will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21969SV-53188CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics -> "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ + +Value Name: EnableQueryRemoteServer + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000068Responsiveness events must be prevented from being aggregated and sent to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents responsiveness events from being aggregated and sent to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53128V-21970CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Windows Performance PerfTrack -> "Enable/Disable PerfTrack" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ + +Value Name: ScenarioExecutionEnabled + +Type: REG_DWORD +Value: 0SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>WN12-CC-000069The time service must synchronize with an appropriate DoD time source.<VulnDiscussion>The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3472SV-52919CCI-001891If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server. + +The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.Open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). + +Enter "W32tm /query /configuration". + +Domain-joined systems are automatically configured with a "Type" of "NT5DS" to synchronize with domain controllers and would not be a finding. + +If systems are configured with a "Type" of "NTP", including standalone systems and the forest root domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. (See V-8557 in the Active Directory Forest STIG for the time source requirement of the forest root domain PDC emulator.) + +If an alternate time synchronization tool is used and is not enabled or not configured to synchronize with a DoD time source, this is a finding. + +The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000070Trusted app installation must be enabled to allow for signed enterprise line of business apps.<VulnDiscussion>Enabling trusted app installation allows for enterprise line of business Windows 8 type apps. A trusted app package is one that is signed with a certificate chain that can be successfully validated in the enterprise. Configuring this ensures enterprise line of business apps are accessible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36697SV-51738CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment -> "Allow all trusted apps to install" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Appx\ + +Value Name: AllowAllTrustedApps + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000071The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21971SV-53127CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility -> "Turn off Inventory Collector" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisableInventory + +Type: REG_DWORD +Value: 1SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>WN12-CC-000072Autoplay must be turned off for non-volume devices.<VulnDiscussion>Allowing Autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable Autoplay for non-volume devices (such as Media Transfer Protocol (MTP) devices).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21973SV-53126CCI-001764Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Disallow Autoplay for non-volume devices" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoAutoplayfornonVolume + +Type: REG_DWORD +Value: 1SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>WN12-CC-000073The default Autorun behavior must be configured to prevent Autorun commands.<VulnDiscussion>Allowing Autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents Autorun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-22692SV-53124CCI-001764Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Set the default behavior for AutoRun" to "Enabled:Do not execute any autorun commands".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoAutorun + +Type: REG_DWORD +Value: 1SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>WN12-CC-000074Autoplay must be disabled for all drives.<VulnDiscussion>Allowing Autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables Autoplay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-2374SV-52879CCI-001764Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Turn off AutoPlay" to "Enabled:All Drives".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ + +Value Name: NoDriveTypeAutoRun + +Type: REG_DWORD +Value: 0x000000ff (255)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000075The use of biometrics must be disabled.<VulnDiscussion>Allowing biometrics may bypass required authentication methods. Biometrics may only be used as an additional authentication factor where an enhanced strength of identity credential is necessary or desirable. Additional factors must be met per DoD policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51739V-36698CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics -> "Allow the use of biometrics" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ + +Value Name: Enabled + +Type: REG_DWORD +Value: 0SRG-OS-000079-GPOS-00047<GroupDescription></GroupDescription>WN12-CC-000076The password reveal button must not be displayed.<VulnDiscussion>Visible passwords may be seen by nearby persons, compromising them. The password reveal button can be used to display an entered password and must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51740V-36700CCI-000206Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> "Do not display the password reveal button" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ + +Value Name: DisablePasswordReveal + +Type: REG_DWORD +Value: 1SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-CC-000077Administrator accounts must not be enumerated during elevation.<VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to enter in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14243SV-52955CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ + +Value Name: EnumerateAdministrators + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN12-CC-000084The Application event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26579SV-52966CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN12-CC-000085The Security event log size must be configured to 196608 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26580SV-52965CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN12-CC-000086The Setup event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52964V-26581CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Setup >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN12-CC-000087The System event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26582SV-52963CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000088Windows SmartScreen must be enabled on Windows 2012/2012 R2.<VulnDiscussion>Windows SmartScreen helps protect systems from programs downloaded from the Internet that may be malicious. Warning a user before running downloaded unknown software, at minimum, will help prevent potentially malicious programs from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51747V-36707CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled" with either "Give user a warning before running downloaded unknown software" or "Require approval from an administrator before running downloaded unknown software" selected. + +Microsoft has changed this setting several times in the Windows 10 administrative templates, which will affect group policies in a domain if later templates are used. + +v1607 of Windows 10 and Windows Server 2016 changed the setting to only Enabled or Disabled without additional selections. Enabled is effectively "Give user a warning…". + +v1703 of Windows 10 or later administrative templates changed the policy name to "Configure Windows Defender SmartScreen", and the selectable options are "Warn" and "Warn and prevent bypass". When either of these are applied to a Windows 2012/2012 R2 system, it will configure the registry equivalent of "Give user a warning…").This is applicable to unclassified systems; for other systems, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: EnableSmartScreen + +Type: REG_DWORD +Value: 0x00000001 (1) (Give user a warning…) +Or 0x00000002 (2) (Require approval…)SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>WN12-CC-000089Explorer Data Execution Prevention must be enabled.<VulnDiscussion>Data Execution Prevention (DEP) provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21980SV-53125CCI-002824Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off Data Execution Prevention for Explorer" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoDataExecutionPrevention + +Type: REG_DWORD +Value: 0SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-CC-000090Turning off File Explorer heap termination on corruption must be disabled.<VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15718SV-53137CCI-002385Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off heap termination on corruption" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoHeapTerminationOnCorruption + +Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000091File Explorer shell protocol must run in protected mode.<VulnDiscussion>The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53045V-15683CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off shell protocol protected mode" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: PreXPSP2ShellProtocolBehavior + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000095The location feature must be turned off.<VulnDiscussion>The location service on systems may allow sensitive data to be used by applications on the system. This should be turned off unless explicitly allowed for approved systems/applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36708SV-51748CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Location and Sensors -> "Turn off location" to "Enabled". + +If location services are approved by the organization for a device, this must be documented.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ + +Value Name: DisableLocation + +Type: REG_DWORD +Value: 1 (Enabled) + +If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>WN12-CC-000096Passwords must not be saved in the Remote Desktop Client.<VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14247SV-52958CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> "Do not allow passwords to be saved" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DisablePasswordSaving + +Type: REG_DWORD +Value: 1SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-CC-000098Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).<VulnDiscussion>Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52959V-14249CCI-001090Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow drive redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCdm + +Type: REG_DWORD +Value: 1SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>WN12-CC-000099Remote Desktop Services must always prompt a client for passwords upon connection.<VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3453SV-52898CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Always prompt for password upon connection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fPromptForPassword + +Type: REG_DWORD +Value: 1SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>WN12-CC-000100Remote Desktop Services must be configured with the client connection encryption set to the required level.<VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52899V-3454CCI-000068CCI-002890Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Set client connection encryption level" to "Enabled" and "High Level".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 3SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000103Remote Desktop Services must delete temporary folders when a session is terminated.<VulnDiscussion>Remote desktop session temporary folders must always be deleted after a session is over to prevent hard disk clutter and potential leakage of information. This setting controls the deletion of the temporary folders when the session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3456SV-52901CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not delete temp folder upon exit" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DeleteTempDirsOnExit + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000104Remote Desktop Services must be configured to use session-specific temporary folders.<VulnDiscussion>If a communal temporary folder is used for remote desktop sessions, it might be possible for users to access other users' temporary folders. If this setting is enabled, only one temporary folder is used for all remote desktop sessions. Per session temporary folders must be established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3455SV-52900CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not use temporary folders per session" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: PerSessionTempDir + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000105Attachments must be prevented from being downloaded from RSS feeds.<VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15682SV-53040CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Prevent downloading of enclosures" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: DisableEnclosureDownload + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000106Basic authentication for RSS feeds over HTTP must be turned off.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51749V-36709CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Turn on Basic feed authentication over HTTP" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: AllowBasicAuthInClear + +Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000109Automatic download of updates from the Windows Store must be turned off.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially allow sensitive information outside of the enterprise. Application updates must be obtained from an internal source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36710SV-51750CCI-000366The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +Windows 2012 R2: +Windows 2012 R2 split the original policy that configures this setting into two separate ones. Configuring either one to "Enabled" will update the registry value as identified in the Check section. + +Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> +"Turn off Automatic Download of updates on Win8 machines" or "Turn off Automatic Download and install of updates" to "Enabled". + +Windows 2012: +Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off Automatic Download of updates" to "Enabled".The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Windows 2012 R2: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ + +Value Name: AutoDownload + +Type: REG_DWORD +Value: 0x00000002 (2) + +Windows 2012: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ + +Value Name: AutoDownload + +Type: REG_DWORD +Value: 0x00000002 (2)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000110The Windows Store application must be turned off.<VulnDiscussion>Uncontrolled installation of applications can introduce various issues, including system instability, and provide access to sensitive information. Installation of applications must be controlled by the enterprise. Turning off access to the Windows Store will limit access to publicly available applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36711SV-51751CCI-000366The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. + +Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off the Store application" to "Enabled".The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ + +Value Name: RemoveWindowsStore + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000115Users must be prevented from changing installation options.<VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53061V-15685CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Allow user control over installs" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: EnableUserControl + +Type: REG_DWORD +Value: 0SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000116The Windows Installer Always install with elevated privileges option must be disabled.<VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52954V-34974CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Always install with elevated privileges" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: AlwaysInstallElevated + +Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000117Users must be notified if a web-based program attempts to install software.<VulnDiscussion>Users must be aware of attempted program installations. This setting ensures users are notified if a web-based program attempts to install software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53056V-15684CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: SafeForScripting + +Type: REG_DWORD +Value: 0SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000118Nonadministrators must be prevented from applying vendor-signed updates.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. This setting will prevent users from applying vendor-signed updates (though they may be from a trusted source).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15686SV-53065CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prohibit non-administrators from applying vendor signed updates" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\Installer\ + +Value Name: DisableLUAPatching + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000120Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This check verifies that Windows Media DRM will be prevented from accessing the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53139V-15722CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Digital Rights Management -> "Prevent Windows Media DRM Internet Access" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WMDRM\ + +Value Name: DisableOnline + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000121Users must not be presented with Privacy and Installation options on first use of Windows Media Player.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting prevents users from being presented with Privacy and Installation options on first use of Windows Media Player, which could enable some communication with the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53069V-15687CCI-000366If Windows Media Player is installed, configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Do Not Show First Use Dialog Boxes" to "Enabled".Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: GroupPrivacyAcceptance + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-CC-000122Windows Media Player must be configured to prevent automatic checking for updates.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. The automatic check for updates performed by Windows Media Player must be disabled to ensure a constant platform and to prevent the introduction of unknown\untested software on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53130V-3480CCI-001812If Windows Media Player is installed, configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Prevent Automatic Updates" to "Enabled".Windows Media Player is not installed by default. If it is not installed, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: DisableAutoupdate + +Type: REG_DWORD +Value: 1SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN12-CC-000123The Windows Remote Management (WinRM) client must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36712SV-51752CCI-000877Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0SRG-OS-000393-GPOS-00173<GroupDescription></GroupDescription>WN12-CC-000124The Windows Remote Management (WinRM) client must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36713SV-51753CCI-002890CCI-003123Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN12-CC-000125The Windows Remote Management (WinRM) client must not use Digest authentication.<VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36714SV-51754CCI-000877Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Disallow Digest authentication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowDigest + +Type: REG_DWORD +Value: 0SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN12-CC-000126The Windows Remote Management (WinRM) service must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36718SV-51755CCI-000877Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0SRG-OS-000393-GPOS-00173<GroupDescription></GroupDescription>WN12-CC-000127The Windows Remote Management (WinRM) service must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51756V-36719CCI-002890CCI-003123Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>WN12-CC-000128The Windows Remote Management (WinRM) service must not store RunAs credentials.<VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51757V-36720CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Disallow WinRM from storing RunAs credentials" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: DisableRunAs + +Type: REG_DWORD +Value: 1SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>WN12-CC-000130The Remote Desktop Session Host must require secure RPC communications.<VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52932V-4447CCI-001453Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Require secure RPC communication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEncryptRPCTraffic + +Type: REG_DWORD +Value: 1SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>WN12-CC-000132Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).<VulnDiscussion>Preventing the redirection of Remote Desktop session data to a client computer's COM ports helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52224V-15997CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow COM port redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCcm + +Type: REG_DWORD +Value: 1SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>WN12-CC-000133Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).<VulnDiscussion>Preventing the redirection of Remote Desktop session data to a client computer's LPT ports helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15998SV-52226CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow LPT port redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableLPT + +Type: REG_DWORD +Value: 1SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>WN12-CC-000134The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).<VulnDiscussion>Enabling the redirection of smart card devices allows their use within Remote Desktop sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-16000SV-52230CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow smart card device redirection" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEnableSmartCard + +Type: REG_DWORD +Value: 1SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>WN12-CC-000135Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).<VulnDiscussion>Preventing the redirection of Plug and Play devices in Remote Desktop sessions helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15999SV-52229CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow supported Plug and Play device redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisablePNPRedir + +Type: REG_DWORD +Value: 1SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>WN12-CC-000136Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).<VulnDiscussion>Allowing the redirection of only the default client printer to a Remote Desktop session helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-40204SV-52163CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Printer Redirection -> "Redirect only the default client printer" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: RedirectOnlyDefaultClientPrinter + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000138The display of slide shows on the lock screen must be disabled (Windows 2012 R2).<VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-43238SV-56343CCI-000381This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Configure the policy value for Computer Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Prevent enabling lock screen slide show" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ + +Value Name: NoLockScreenSlideshow + +Value Type: REG_DWORD +Value: 1SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>WN12-CC-000139Windows 2012 R2 must include command line data in process creation events.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system. + +Satisfies: SRG-OS-000042-GPOS-00021</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-56344V-43239CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ + +Value Name: ProcessCreationIncludeCmdLine_Enabled + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000140The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).<VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing into Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-43240SV-56346CCI-000381This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Do not display network selection UI" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: DontDisplayNetworkSelectionUI + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000141The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).<VulnDiscussion>Control of credentials and the system must be maintained within the enterprise. Enabling this setting allows enterprise credentials to be used with modern style apps that support this, instead of Microsoft accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-43241SV-56353CCI-000366This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> App Runtime -> "Allow Microsoft accounts to be optional" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: MSAOptional + +Value Type: REG_DWORD +Value: 1SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-CC-000142The Windows Explorer Preview pane must be disabled for Windows 2012.<VulnDiscussion>A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane. + +Organizations must disable the Windows Preview pane and Windows Detail pane.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-102619SV-111569CCI-000366Ensure the following settings are configured for Windows 2012 locally or applied through group policy. + +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn off Preview Pane" to "Enabled". + +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide". +If the following registry values do not exist or are not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoPreviewPane + +Value Type: REG_DWORD + +Value: 1 + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoReadingPane + +Value Type: REG_DWORD + +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-CC-000145Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).<VulnDiscussion>Windows 2012 R2 can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-43245SV-56355CCI-000366This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Logon Options -> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. + +Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableAutomaticRestartSignOn + +Value Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-CC-000150WDigest Authentication must be disabled.<VulnDiscussion>When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-87391V-72753CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". + +Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ + +Value Name: UseLogonCredential + +Type: REG_DWORD +Value: 0x00000000 (0) + +Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2.SRG-OS-000480-GPOS-00232<GroupDescription></GroupDescription>WN12-FW-000001A host-based firewall must be installed and enabled on the system.<VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-42420SV-55085CCI-000366Install and enable a host-based firewall on the system.Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>WN12-GE-000001Systems must be maintained at a supported service pack level.<VulnDiscussion>Systems at unsupported service packs or releases will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a service pack level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1073SV-53189CCI-000366Update the system to a supported release or service pack level.Run "winver.exe". + +If the "About Windows" dialog box does not display +"Microsoft Windows Server +Version 6.2 (Build 9200)" +or greater, this is a finding. + +No preview versions will be used in a production environment. + +Unsupported Service Packs/Releases: +Windows 2012 - any release candidates or versions prior to the initial release.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-GE-000004-DCOnly administrators responsible for the domain controller must have Administrator rights on the system.<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. + +System administrators must log on to systems only using accounts with the minimum level of authority necessary. + +Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1127SV-51157CCI-002235Configure the system to include only administrator groups or accounts that are responsible for the system in the Administrators group. + +Remove any standard user accounts.Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +Standard user accounts must not be members of the local administrator group. + +If prohibited accounts are members of the local administrators group, this is a finding. + +The built-in Administrator account or other required administrative accounts would not be a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-GE-000005Local volumes must use a format that supports NTFS attributes.<VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, local volumes must be formatted using a file system that supports NTFS attributes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1081SV-52843CCI-000213Format local volumes to use NTFS or ReFS.Open "Computer Management". + +Select "Disk Management" under "Storage". + +For each local volume, if the file system does not indicate "NTFS", this is a finding. + +"ReFS" (Resilient File System) is also acceptable and would not be a finding. + +“CSV” (Cluster Share Volumes) is also acceptable and would not be a finding. + +This does not apply to system partitions such as the Recovery and EFI System Partition.SRG-OS-000312-GPOS-00124<GroupDescription></GroupDescription>WN12-GE-000006Permissions for system drive root directory (usually C:\) must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52136V-40178CCI-002165Maintain the default permissions for the system drive's root directory and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). + +Default Permissions +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders and files +Administrators - Full control - This folder, subfolders and files +Users - Read & execute - This folder, subfolders and files +Users - Create folders / append data - This folder and subfolders +Users - Create files / write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files onlyThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of system drive root directory. +Select the "Security" tab, and the "Advanced" button. + +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders and files +Administrators - Full control - This folder, subfolders and files +Users - Read & execute - This folder, subfolders and files +Users - Create folders / append data - This folder and subfolders +Users - Create files / write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\ + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 filesSRG-OS-000312-GPOS-00124<GroupDescription></GroupDescription>WN12-GE-000007Permissions for program file directories must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-40177SV-52135CCI-002165Maintain the default permissions for the program file directories and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). + +Default Permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and filesThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +For each folder, view the Properties. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls "c:\program files" +icacls "c:\program files (x86)" + +The following results should be displayed as each is entered: + +c:\program files +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 filesSRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>WN12-GE-000008Permissions for Windows installation directory must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-40179SV-52137CCI-001499CCI-002165Maintain the default file ACLs and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). + +Default Permissions: +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and filesThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. + +Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +Viewing in File Explorer: +View the Properties of the folder. +Select the "Security" tab, and the "Advanced" button. + +Default Permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files + +Alternately, use Icacls: + +Open a Command prompt (admin). +Enter icacls followed by the directory: + +icacls c:\windows + +The following results should be displayed: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 filesSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-GE-000010The system must not boot into multiple operating systems (dual-boot).<VulnDiscussion>Allowing a system to boot into multiple operating systems (dual-booting) may allow security to be circumvented on a secure system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52858V-1119CCI-000366Ensure Windows Server 2012 is the only operating system installed for the system to boot into. Remove alternate operating systems.Verify the local system boots directly into Windows. + +Open Control Panel. +Select "System". +Select the "Advanced System Settings" link. +Select the "Advanced" tab. +Click the "Startup and Recovery" Settings button. + +If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-GE-000012Nonadministrative user accounts or groups must only have print permissions on printer shares.<VulnDiscussion>Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52213V-1135CCI-000213Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.Open "Devices and Printers" in Control Panel or through Search. +If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) + +For each configured printer: +Right click on the printer. +Select "Printer Properties". +Select the "Sharing" tab. +View whether "Share this printer" is checked. + +For any printers with "Share this printer" selected: +Select the Security tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. +Standard users will typically be given "Print" permission through the Everyone group. +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>WN12-GE-000014Outdated or unused accounts must be removed from the system or disabled.<VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1112SV-52854CCI-000795Regularly review accounts to determine if they are still active. Disable or delete any active accounts that have not been used in the last 35 days.Run "PowerShell". + +Member servers and standalone systems: +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Domain Controllers: +Enter the following command in PowerShell. +"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" + +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: +Built-in administrator account (Renamed, SID ending in 500) +Built-in guest account (Renamed, Disabled, SID ending in 501) +Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>WN12-GE-000015Windows 2012/2012 R2 accounts must be configured to require passwords.<VulnDiscussion>The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52940V-7002CCI-000764Configure all enabled accounts to require passwords. + +The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.Review the password required status for enabled user accounts. + +Open "Windows PowerShell". + +Domain Controllers: + +Enter "Get-ADUser -Filter * -Properties PasswordNotRequired | Where PasswordNotRequired -eq True | FT Name, PasswordNotRequired, Enabled". + +Exclude disabled accounts (e.g., Guest) and Trusted Domain Objects (TDOs). + +If "PasswordNotRequired" is "True" for any enabled user account, this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. + +Exclude disabled accounts (e.g., Guest). + +If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>WN12-GE-000016Windows 2012/2012 R2 passwords must be configured to expire.<VulnDiscussion>Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-6840SV-52939CCI-000199Configure all enabled user account passwords to expire. + +Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.Review the password never expires status for enabled user accounts. + +Open "Windows PowerShell" with elevated privileges (run as administrator). + +Domain Controllers: + +Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled". + +Exclude application accounts and disabled accounts (e.g., Guest). +Domain accounts requiring smart card (CAC/PIV) may also be excluded. + +If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. + +Exclude application accounts and disabled accounts (e.g., Guest). + +If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-GE-000017System files must be monitored for unauthorized changes.<VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52215V-2907CCI-000366Monitor system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. This can be done with the use of various monitoring tools.Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. + +If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured and approved DoD HBSS solution that supports a File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-GE-000018Non system-created file shares on a system must limit access to groups that require it.<VulnDiscussion>Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to those accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3245SV-52881CCI-001090If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. + +Remove any unnecessary non-system-created shares.If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. +(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) + +Run "Computer Management". +Navigate to System Tools >> Shared Folders >> Shares. + +Right click any non-system-created shares. +Select "Properties". +Select the "Share Permissions" tab. + +If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. + +Select the "Security" tab. + +If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>WN12-GE-000019The HBSS McAfee Agent must be installed.<VulnDiscussion>The McAfee Agent is the client side distributed component of McAfee ePolicy Orchestrator (McAfee ePO) which provides a secure communication channel between the ePO server and managed point products.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53010V-15505CCI-000366Deploy the McAfee Agent as detailed in accordance with the DoD HBSS STIG.Run "Services.msc". + +Verify the McAfee Agent service is running, depending on the version installed. + +Version - Service Name +McAfee Agent v5.x - McAfee Agent Service +McAfee Agent v4.x - McAfee Framework Service + +If the service is not listed or does not have a Status of "Started", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-GE-000020Software certificate installation files must be removed from Windows 2012/2012 R2.<VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-15823SV-53141CCI-000366Remove any certificate installation files (*.p12 and *.pfx) found on a system. + +This does not apply to server-based applications that have a requirement for certificate files, Adobe PreFlight certificate files, or non-certificate installation files with the same extension.Search all drives for *.p12 and *.pfx files. + +If any files with these extensions exist, this is a finding. + +This does not apply to server-based applications that have a requirement for certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-GE-000021Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some services may be run under the local System account, which generally has more permissions than required by the service. Compromising a service could allow an intruder to obtain system permissions and open the system to a variety of attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52218V-3487CCI-000381Document the services required for the system to operate. Remove or disable any services that are not required.Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. + +Individual services specifically required to be disabled per the STIG are identified in separate requirements. + +If the site has not documented the services required for their system(s), this is a finding. + +The following can be used to view the services on a system: +Run "Services.msc". + +Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. + +Default Installation +Name - Startup Type +Application Experience - Manual (Trigger Start) +Application Identity - Manual (Trigger Start) +Application Information - Manual +Application Layer Gateway Service - Manual +Application Management - Manual +Background Intelligent Transfer Service - Automatic (Delayed Start) +Background Tasks Infrastructure Service - Automatic +Base Filtering Engine - Automatic +Certificate Propagation - Manual +CNG Key Isolation - Manual (Trigger Start) +COM+ Event System - Automatic +COM+ System Application - Manual +Computer Browser - Disabled +Credential Manager - Manual +Cryptographic Services - Automatic +DCOM Server Process Launcher - Automatic +Device Association Service - Manual (Trigger Start) +Device Install Service - Manual (Trigger Start) +Device Setup Manager - Manual (Trigger Start) +DHCP Client - Automatic +Diagnostic Policy Service - Automatic (Delayed Start) +Diagnostic Service Host - Manual +Diagnostic System Host - Manual +Distributed Link Tracking Client - Automatic +Distributed Transaction Coordinator - Automatic (Delayed Start) +DNS Client - Automatic (Trigger Start) +Encrypting File System (EFS) - Manual (Trigger Start) +Extensible Authentication Protocol - Manual +Function Discovery Provider Host - Manual +Function Discovery Resource Publication - Manual +Group Policy Client - Automatic (Trigger Start) +Health Key and Certificate Management - Manual +Human Interface Device Access - Manual (Trigger Start) +Hyper-V Data Exchange Service - Manual (Trigger Start) +Hyper-V Guest Shutdown Service - Manual (Trigger Start) +Hyper-V Heartbeat Service - Manual (Trigger Start) +Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) +Hyper-V Time Synchronization Service - Manual (Trigger Start) +Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) +IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) +Interactive Services Detection - Manual +Internet Connection Sharing (ICS) - Disabled +IP Helper - Automatic +IPsec Policy Agent - Manual (Trigger Start) +KDC Proxy Server service (KPS) - Manual +KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) +Link-Layer Topology Discovery Mapper - Manual +Local Session Manager - Automatic +Microsoft iSCSI Initiator Service - Manual +Microsoft Software Shadow Copy Provider - Manual +Multimedia Class Scheduler - Manual +Net.Tcp Port Sharing Service - Disabled +Netlogon - Manual +Network Access Protection Agent - Manual +Network Connections - Manual +Network Connectivity Assistant - Manual (Trigger Start) +Network List Service - Manual +Network Location Awareness - Automatic +Network Store Interface Service - Automatic +Optimize drives - Manual +Performance Counter DLL Host - Manual +Performance Logs & Alerts - Manual +Plug and Play - Manual +Portable Device Enumerator Service - Manual (Trigger Start) +Power - Automatic +Print Spooler - Automatic +Printer Extensions and Notifications - Manual +Problem Reports and Solutions Control Panel Support - Manual +Remote Access Auto Connection Manager - Manual +Remote Access Connection Manager - Manual +Remote Desktop Configuration - Manual +Remote Desktop Services - Manual +Remote Desktop Services UserMode Port Redirector - Manual +Remote Procedure Call (RPC) - Automatic +Remote Procedure Call (RPC) Locator - Manual +Remote Registry - Automatic (Trigger Start) +Resultant Set of Policy Provider - Manual +Routing and Remote Access - Disabled +RPC Endpoint Mapper - Automatic +Secondary Logon - Manual +Secure Socket Tunneling Protocol Service - Manual +Security Accounts Manager - Automatic +Server - Automatic +Shell Hardware Detection - Automatic +Smart Card - Disabled +Smart Card Removal Policy - Manual +SNMP Trap - Manual +Software Protection - Automatic (Delayed Start, Trigger Start) +Special Administration Console Helper - Manual +Spot Verifier - Manual (Trigger Start) +SSDP Discovery - Disabled +Superfetch - Manual +System Event Notification Service - Automatic +Task Scheduler - Automatic +TCP/IP NetBIOS Helper - Automatic (Trigger Start) +Telephony - Manual +Themes - Automatic +Thread Ordering Server - Manual +UPnP Device Host - Disabled +User Access Logging Service - Automatic (Delayed Start) +User Profile Service - Automatic +Virtual Disk - Manual +Volume Shadow Copy - Manual +Windows All-User Install Agent - Manual (Trigger Start) +Windows Audio - Manual +Windows Audio Endpoint Builder - Manual +Windows Color System - Manual +Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) +Windows Error Reporting Service - Manual (Trigger Start) +Windows Event Collector - Manual +Windows Event Log - Automatic +Windows Firewall - Automatic +Windows Font Cache Service - Automatic +Windows Installer - Manual +Windows Licensing Monitoring Service - Automatic +Windows Management Instrumentation - Automatic +Windows Modules Installer - Manual +Windows Remote Management (WS-Management) - Automatic +Windows Store Service (WSService) - Manual (Trigger Start) +Windows Time - Manual (Trigger Start) +Windows Update - Manual +WinHTTP Web Proxy Auto-Discovery Service - Manual +Wired AutoConfig - Manual +WMI Performance Adapter - Manual +Workstation - AutomaticSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-GE-000022Servers must have a host-based Intrusion Detection System.<VulnDiscussion>A properly configured host-based Intrusion Detection System provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52105V-3289CCI-000366Install a host-based Intrusion Detection System on each server.Determine whether there is a host-based Intrusion Detection System on each server. + +If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. + +A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. + +If a host-based Intrusion Detection System is not installed on the system, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>WN12-GE-000023Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools..</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51582V-36734CCI-001233Install a DoD approved HBSS software and ensure it is operating continuously.Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. + +If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>WN12-GE-000024The system must support automated patch management tools to facilitate flaw remediation.<VulnDiscussion>The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36735SV-51583CCI-000366Establish a process to automatically install security-related software updates.Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN12-GE-000025The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.<VulnDiscussion>Failure to verify a certificate's revocation status can result in the system accepting a revoked, and therefore unauthorized, certificate. This could result in the installation of unauthorized software or a connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51584V-36736CCI-000366Install software that provides certificate validation and revocation checking.Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-GE-000026File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.<VulnDiscussion>The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. + +Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52106V-1120CCI-000366Configure the FTP service to prevent anonymous logons.If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Attempt to log on as the user "anonymous" with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "anonymous" +(331 Anonymous access allowed, send identity (e-mail name) as password.) + +Password: "password" +(230 User logged in.) +ftp> + +If the response indicates that an anonymous FTP login was permitted, this is a finding. + +If accounts with administrator privileges are used to access FTP, this is a CAT I finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-GE-000027File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.<VulnDiscussion>The FTP service allows remote users to access shared files and directories. Access outside of the specific directories of shared data could provide access to system resources and compromise the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52212V-1121CCI-000366Configure the system to only allow FTP access to specific folders containing the data to be available through the service.If FTP is not installed on the system, this is NA. + +Determine the IP address and port number assigned to FTP sites from documentation or configuration. + +If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. + +Open a "Command Prompt". + +Access the FTP site and review accessible directories with the following commands: + +Note: Returned results may vary depending on the FTP server software. + +C:\> "ftp" +ftp> "Open IP Address Port" +(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) +(Connected to IP Address +220 Microsoft FTP Service) + +User (IP Address): "FTP User" +(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) + (331 Password required) + +Password: "Password" +(Substituting [Password] with password for the account attempting access.) +(230 User ftpuser logged in.) + +ftp> "Dir" + +If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding.SRG-OS-000002-GPOS-00002<GroupDescription></GroupDescription>WN12-GE-000056Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.<VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-72063V-57653CCI-000016Configure temporary user accounts to automatically expire within 72 hours. + +Domain account can be configured with an account expiration date, under "Account" properties. + +Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. + +Delete any temporary user accounts that are no longer necessary.Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. + +Review temporary user accounts for expiration dates. + +Open "PowerShell". + +Domain Controllers: + +Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" +This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) + +If any accounts identified as temporary are not listed, this is a finding. + +For any temporary accounts returned by the previous query: +Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. + +If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. + +Member servers and standalone systems: + +Enter "Net User [username]", where [username] is the name of the temporary user account. + +If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. + +If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>WN12-GE-000057Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency administrator accounts are privileged accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. + +Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-57655SV-72065CCI-001682Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. + +Domain accounts can be configured with an account expiration date, under "Account" properties. + +Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the emergency administrator account.Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. + +If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. + +If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. + +Domain Controllers: + +Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" +This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) + +If any accounts identified as emergency administrator accounts are not listed, this is a finding. + +For any emergency administrator accounts returned by the previous query: +Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. + +If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. + +Member servers and standalone systems: + +Enter "Net User [username]", where [username] is the name of the emergency administrator accounts. + +If "Account expires" has not been defined within 72 hours for any emergency administrator accounts, this is a finding. + +If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN12-PK-000001The DoD Root CA certificates must be installed in the Trusted Root Store.<VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52961V-32272CCI-000185CCI-002470Install the DoD Root CA certificates. +DoD Root CA 2 +DoD Root CA 3 +DoD Root CA 4 +DoD Root CA 5 + +The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. + +The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. + +Run "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter + +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +NotAfter: 12/5/2029 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB +NotAfter: 12/30/2029 + +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 +NotAfter: 7/25/2032 + +Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B +NotAfter: 6/14/2041 + +Alternately use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates", click "Add". + +Select "Computer account", click "Next". + +Select "Local computer: (the computer this console is running on)", click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". + +For each of the DoD Root CA certificates noted below: + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +DoD Root CA 2 +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +Valid to: Wednesday, December 5, 2029 + +DoD Root CA 3 +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB +Valid to: Sunday, December 30, 2029 + +DoD Root CA 4 +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 +Valid to: Sunday, July 25, 2032 + +DoD Root CA 5 +Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B +Valid to: Friday, June 14, 2041SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN12-PK-000003The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-32274SV-52957CCI-000185CCI-002470Install the DoD Interoperability Root CA cross-certificates on unclassified systems. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 +DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 + +The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. + +Run "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter + +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 +NotAfter: 1/22/2022 10:22:56 AM + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +NotAfter: 8/26/2022 9:25:51 AM + +Alternately use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates", click "Add". + +Select "Computer account", click "Next". + +Select "Local computer: (the computer this console is running on)", click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To: DoD Root CA 2 +Issued By: DoD Interoperability Root CA 1 +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +Valid to: Friday, August 26, 2022 + +Issued To: DoD Root CA 3 +Issued By: DoD Interoperability Root CA 2 +Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 +Valid to: Saturday, January 22, 2022 +SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN12-PK-000004The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-40237SV-52196CCI-000185CCI-002470Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. + +Issued To - Issued By - Thumbprint +DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 + +The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. + +Run "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +NotAfter: 8/26/2022 + +Alternately use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates", click "Add". + +Select "Computer account", click "Next". + +Select "Local computer: (the computer this console is running on)", click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To: DoD Root CA 3 +Issuer by: US DoD CCEB Interoperability Root CA 2 +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +Valid: Friday, August 26, 2022 +SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN12-PK-000005-DCDomain controllers must have a PKI server certificate.<VulnDiscussion>Domain controller must have a server certificate to establish authenticity as part of PKI authentications in the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51189V-39334CCI-000185Obtain a server certificate for the domain controller.Verify the domain controller has a PKI server certificate. + +Run "mmc". +Select "Add/Remove Snap-in" from the File menu. +Select "Certificates" in the left pane and click the "Add >" button. +Select "Computer Account", click "Next". +Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". +Click "OK". +Select and expand the Certificates (Local Computer) entry in the left pane. +Select and expand the Personal entry in the left pane. +Select the Certificates entry in the left pane. + +If no certificate for the domain controller exists in the right pane, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN12-PK-000006-DCDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).<VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14820SV-51190CCI-000185Obtain PKI certificates issued by the DoD PKI or an approved External Certificate Authority (ECA).Verify the source of the domain controller's server certificate. + +Run "mmc". +Select "Add/Remove Snap-in" from the File menu. +Select "Certificates" in the left pane and click the "Add >" button. +Select "Computer Account", click "Next". +Select the appropriate option for "Select the computer you want this snap-in to manage.", click "Finish". +Click "OK". +Select and expand the Certificates (Local Computer) entry in the left pane. +Select and expand the Personal entry in the left pane. +Select the Certificates entry in the left pane. +In the right pane, examine the Issued By field for the certificate to determine the issuing CA. + +If the Issued By field of the PKI certificate being used by the domain controller does not indicate the issuing Certificate Authority (CA) is part of the DoD PKI or an approved ECA, this is a finding. + + +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: + +The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. + +DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE. +http://iase.disa.mil/pki-pke/function_pages/tools.htmlSRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN12-PK-000007-DCPKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).<VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26683SV-51191CCI-000185Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.Open "PowerShell" as Administrator. + +Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled -AutoSize". + +Review the User Principal Name (UPN) of user accounts, including administrators. + +Exclude the built-in accounts such as Administrator and Guest. + +If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. + +For standard NIPRNET certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). + +Alt Tokens and other certificates may use a different UPN format than the EDI-PI, which vary by organization. Verify these with the organization. + +NIPRNET Example: +Name - User Principal Name +User1 - 1234567890@mil + +See PKE documentation for other network domain suffixes. + +If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>WN12-PK-000008-DCActive directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.<VulnDiscussion>Smart cards such as the Common Access Card (CAC) support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51192V-15488CCI-000765CCI-000766CCI-000767CCI-000768CCI-001948Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". + +Run "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): +Select the Organizational Unit (OU) where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) +Right click the user account and select "Properties". +Select the "Account" tab. +Check "Smart card is required for interactive logon" in the "Account Options" area.Verify active directory user accounts, including administrators, have "Smart card is required for interactive logon" selected. + +Run "PowerShell". +Enter the following: +"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" +("DistinguishedName" may be substituted for "Name" for more detailed output.) +If any user accounts are listed, this is a finding. + +Alternately: +To view sample accounts in "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"): +Select the Organizational Unit (OU) where the User accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) +Right click the sample User account and select "Properties". +Select the "Account" tab. +If any User accounts do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-RG-000001Standard user accounts must only have Read permissions to the Winlogon registry key.<VulnDiscussion>Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have these permissions, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53123V-26070CCI-002235Maintain permissions at least as restrictive as the defaults listed below for the "WinLogon" registry key. It is recommended to not change the permissions from the defaults. + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +The following are the same for each permission listed: +Type - Allow +Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion +Applies to - This key and subkeys + +Columns: Principal - Access +TrustedInstaller - Full Control +SYSTEM - Full Control +Administrators - Full Control +Users - Read +ALL APPLICATION PACKAGES - ReadRun "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Right-click on "WinLogon" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion +Applies to - This key and subkeys + +Columns: Principal - Access +TrustedInstaller - Full Control +SYSTEM - Full Control +Administrators - Full Control +Users - Read +ALL APPLICATION PACKAGES - ReadSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-RG-000002Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.<VulnDiscussion>Permissions on the Active Setup\Installed Components registry key must only allow privileged accounts to add or change registry values. If standard user accounts have these permissions, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52956V-32282CCI-002235Maintain the default permissions of the following registry keys: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems only) + +Users - Read +Administrators - Full Control +SYSTEM - Full Control +CREATOR OWNER - Full Control (Subkeys only) +ALL APPLICATION PACKAGES - ReadRun "Regedit". +Navigate to the following registry keys and review the permissions: +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ +HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) + +If the default permissions listed below have been changed, this is a finding. + +Users - Read +Administrators - Full Control +SYSTEM - Full Control +CREATOR OWNER - Full Control (Subkeys only) +ALL APPLICATION PACKAGES - ReadSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-RG-000004Anonymous access to the registry must be restricted.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Some processes may require anonymous access to the registry. This must be limited to properly protect the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1152SV-52864CCI-002235Maintain permissions at least as restrictive as the defaults listed below for the "winreg" registry key. It is recommended to not change the permissions from the defaults. + +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + +The following are the same for each permission listed: +Type - Allow +Inherited from - None + +Columns: Principal - Access - Applies to +Administrators - Full Control - This key and subkeys +Backup Operators - Read - This key only +LOCAL SERVICE - Read - This key and subkeysRun "Regedit". +Navigate to the following registry key: +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ + +If the key does not exist, this is a finding. + +Right-click on "winreg" and select "Permissions…". +Select "Advanced". + +If the permissions are not as restrictive as the defaults listed below, this is a finding. + +The following are the same for each permission listed: +Type - Allow +Inherited from - None + +Columns: Principal - Access - Applies to +Administrators - Full Control - This key and subkeys +Backup Operators - Read - This key only +LOCAL SERVICE - Read - This key and subkeysSRG-OS-000121-GPOS-00062<GroupDescription></GroupDescription>WN12-SO-000003The built-in guest account must be disabled.<VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1113SV-52855CCI-000804Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Guest account status" to "Disabled".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000004Local accounts with blank passwords must be restricted to prevent access from the network.<VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password did exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52886V-3344CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LimitBlankPasswordUse + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000005The built-in administrator account must be renamed.<VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52857V-1115CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename administrator account" to a name other than "Administrator".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000006The built-in guest account must be renamed.<VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1114SV-52856CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename guest account" to a name other than "Guest".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>WN12-SO-000007Auditing the Access of Global System Objects must be turned off.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +This setting prevents the system from setting up a default system access control list for certain system objects, which could create a very large number of security events, filling the security log in Windows and making it difficult to identify actual issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53129V-14228CCI-001095Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the access of global system objects" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: AuditBaseObjects + +Value Type: REG_DWORD +Value: 0SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>WN12-SO-000008Auditing of Backup and Restore Privileges must be turned off.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +This setting prevents the system from generating audit events for every file backed up or restored, which could fill the security log in Windows, making it difficult to identify actual issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52943V-14229CCI-001095Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the use of Backup and Restore privilege" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: FullPrivilegeAuditing + +Value Type: REG_BINARY +Value: 00SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>WN12-SO-000009Audit policy using subcategories must be enabled.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14230SV-52944CCI-000169Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: SCENoApplyLegacyAuditPolicy + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000011Ejection of removable NTFS media must be restricted to Administrators.<VulnDiscussion>Removable hard drives, if they are not properly configured, can be formatted and ejected by users who are not members of the Administrators Group. Formatting and ejecting removable NTFS media must only be done by administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1171SV-52875CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Allowed to format and eject removable media" to "Administrators".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AllocateDASD + +Value Type: REG_SZ +Value: 0SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000012Outgoing secure channel traffic must be encrypted or signed.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52934V-6831CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireSignOrSeal + +Value Type: REG_DWORD +Value: 1SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000013Outgoing secure channel traffic must be encrypted when possible.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52871V-1163CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SealSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000014Outgoing secure channel traffic must be signed when possible.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1164SV-52872CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SignSecureChannel + +Value Type: REG_DWORD +Value: 1 + +If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000015The computer account password must not be prevented from being reset.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1165SV-52873CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Disable machine account password changes" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: DisablePasswordChange + +Value Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000016The maximum age for machine account passwords must be set to requirements.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This setting must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52887V-3373CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Maximum machine account password age" to "30" or less (excluding "0" which is unacceptable).If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: MaximumPasswordAge + +Value Type: REG_DWORD +Value: 30 (or less, but not 0)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000017The system must be configured to require a strong session key.<VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. Requiring strong session keys enforces 128-bit encryption between systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3374SV-52888CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireStrongKey + +Value Type: REG_DWORD +Value: 1 + +This setting may prevent a system from being joined to a domain if not configured consistently between systems.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000018The system must be configured to prevent the display of the last username on the logon screen.<VulnDiscussion>Displaying the username of the last logged on user provides half of the userid/password equation that an unauthorized person would need to gain access. The username of the last user to log on to a system must not be displayed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52941V-11806CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Do not display last user name" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DontDisplayLastUserName + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000019The Ctrl+Alt+Del security attention sequence for logons must be enabled.<VulnDiscussion>Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, a user can be assured that any passwords entered following that sequence are sent only to Windows. If the sequence requirement is eliminated, malicious programs can request and receive a user's Windows password. Disabling this sequence also suppresses a custom logon banner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1154SV-52866CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Do not require CTRL+ALT+DEL" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableCAD + +Value Type: REG_DWORD +Value: 0SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>WN12-SO-000021The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36773SV-51596CCI-000057Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Machine inactivity limit" to "900" seconds" or less, excluding "0" which is effectively disabled.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: InactivityTimeoutSecs + +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>WN12-SO-000022The required legal notice must be configured to display before console logon.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1089SV-52845CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeText + +Value Type: REG_SZ +Value: See message text below + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>WN12-SO-000023The Windows dialog box title for the legal banner must be configured.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53121V-26359CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. + +If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeCaption + +Value Type: REG_SZ +Value: See message title options below + +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. + +If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. + +Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000024Caching of logon credentials must be limited.<VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well-protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1090SV-52846CCI-000366If the system is not a member of a domain, this is NA. + +Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less.If the system is not a member of a domain, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000025Users must be warned in advance of their passwords expiring.<VulnDiscussion>Creating strong passwords that can be remembered by users requires some thought. By giving the user advance warning, the user has time to construct a sufficiently strong password. This setting configures the system to display a warning to users telling them how many days are left before their password expires.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52876V-1172CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Prompt user to change password before expiration" to "14" days or more.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: PasswordExpiryWarning + +Value Type: REG_DWORD +Value: 14 (or greater)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000027The Smart Card removal option must be configured to Force Logoff or Lock Workstation.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1157SV-52867CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: SCRemoveOption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000028The Windows SMB client must be configured to always perform SMB packet signing.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52935V-6832CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network client: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000029The Windows SMB client must be enabled to perform SMB packet signing when possible.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1166SV-52874CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>WN12-SO-000030Unencrypted passwords must not be sent to third-party SMB Servers.<VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the vendor of the SMB server to see if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1141SV-52861CCI-000197Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnablePlainTextPassword + +Value Type: REG_DWORD +Value: 0SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>WN12-SO-000031The amount of idle time required before suspending a session must be properly set.<VulnDiscussion>Open sessions can increase the avenues of attack on a system. This setting is used to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52878V-1174CCI-001133CCI-002361Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Server: Amount of idle time required before suspending session" to "15" minutes or less.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: autodisconnect + +Value Type: REG_DWORD +Value: 0x0000000f (15) (or less)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000032The Windows SMB server must be configured to always perform SMB packet signing.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-6833SV-52936CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 1SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000033The Windows SMB server must perform SMB packet signing when possible.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1162SV-52870CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 1SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>WN12-SO-000034Users must be forcibly disconnected when their logon hours expire.<VulnDiscussion>Users must not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. Forcibly disconnecting users when logon hours expire protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1136SV-52860CCI-001133Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Disconnect clients when logon hours expire" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableForcedLogoff + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000035The service principal name (SPN) target name validation level must be turned off.<VulnDiscussion>If a service principle name (SPN) is provided by the client, it is validated against the server's list of SPNs. Implementation may disrupt file and print sharing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53175V-21950CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Server SPN target name validation level" to "Off".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SmbServerNameHardeningLevel + +Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000036Automatic logons must be disabled.<VulnDiscussion>Allowing a system to automatically log on when the machine is booted could give access to any unauthorized individual who restarts the computer. Automatic logon with administrator privileges would give full access to an unauthorized individual.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52107V-1145CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" to "Disabled". + +Ensure no passwords are stored in the "DefaultPassword" registry value noted below: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: DefaultPassword + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: AutoAdminLogon + +Type: REG_SZ +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000037IPv6 source routing must be configured to the highest protection level.<VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53180V-21955CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: DisableIPSourceRouting + +Type: REG_DWORD +Value: 2SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000038The system must be configured to prevent IP source routing.<VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4110SV-52924CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: DisableIPSourceRouting + +Value Type: REG_DWORD +Value: 2SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000039The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.<VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52925V-4111CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-SO-000041The system must be configured to limit how often keep-alive packets are sent.<VulnDiscussion>This setting controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact. A higher value could allow an attacker to cause a denial of service with numerous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52927V-4113CCI-002385Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" to "300000 or 5 minutes (recommended)" or less. + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: KeepAliveTime + +Value Type: REG_DWORD +Value: 300000 (or less)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000042IPSec Exemptions must be limited.<VulnDiscussion>IPSec exemption filters allow specific traffic that may be needed by the system for such things as Kerberos authentication. This setting configures Windows for specific IPSec exemptions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14232SV-52945CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic" to "Only ISAKMP is exempt (recommended for Windows Server 2003)". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\IPSEC\ + +Value Name: NoDefaultExempt + +Value Type: REG_DWORD +Value: 3SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-SO-000043The system must be configured to ignore NetBIOS name release requests except from WINS servers.<VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4116SV-52928CCI-002385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 1SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-SO-000044The system must be configured to disable the Internet Router Discovery Protocol (IRDP).<VulnDiscussion>The Internet Router Discovery Protocol (IRDP) is used to detect and configure default gateway addresses on the computer. If a router is impersonated on a network, traffic could be routed through the compromised system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4112SV-52926CCI-002385Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to "Disabled". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: PerformRouterDiscovery + +Value Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000045The system must be configured to use Safe DLL Search Mode.<VulnDiscussion>The default search behavior, when an application calls a function in a Dynamic Link Library (DLL), is to search the current directory, followed by the directories contained in the system's path environment variable. An unauthorized DLL, inserted into an application's working directory, could allow malicious code to be run on the system. Setting this policy value forces the system to search the %Systemroot% for the DLL before searching the current directory or the rest of the path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3479SV-52920CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" to "Enabled". + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: SafeDllSearchMode + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000046The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.<VulnDiscussion>Allowing more than several seconds makes the computer vulnerable to a potential attack from someone walking up to the console to attempt to log on to the system before the lock takes effect.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4442SV-52930CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to "5" or less. + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: ScreenSaverGracePeriod + +Value Type: REG_SZ +Value: 5 (or less)SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-SO-000047IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.<VulnDiscussion>Configuring Windows to limit the number of times that IPv6 TCP retransmits unacknowledged data segments before aborting the attempt helps prevent resources from becoming exhausted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21956SV-53181CCI-002385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to "3" or less. + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less)SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN12-SO-000048The system must limit how many times unacknowledged TCP data is retransmitted.<VulnDiscussion>In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a server, and the server leaves the half-open connections open until it is overwhelmed and is no longer able to respond to legitimate requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4438SV-52929CCI-002385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to "3" or less. + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: TcpMaxDataRetransmissions + +Value Type: REG_DWORD +Value: 3 (or less)SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>WN12-SO-000049The system must generate an audit event when the audit log reaches a percentage of full threshold.<VulnDiscussion>When the audit log reaches a given percent full, an audit event is written to the security log. It is recorded as a successful audit event under the category of System. This option may be especially useful if the audit logs are set to be cleared manually.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52923V-4108CCI-000139CCI-001855CCI-001858Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to "90" or less. + +(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ + +Value Name: WarningLevel + +Value Type: REG_DWORD +Value: 90 (or less)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000050Anonymous SID/Name translation must not be allowed.<VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3337SV-52882CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Allow anonymous SID/Name translation" to "Disabled".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000051Anonymous enumeration of SAM accounts must not be allowed.<VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26283SV-53122CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymousSAM + +Value Type: REG_DWORD +Value: 1SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000052Anonymous enumeration of shares must be restricted.<VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52847V-1093CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000054The system must be configured to prevent anonymous users from having the same rights as the Everyone group.<VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3377SV-52890CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Let everyone permissions apply to anonymous users" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: EveryoneIncludesAnonymous + +Value Type: REG_DWORD +Value: 0SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000055-DCNamed pipes that can be accessed anonymously must be configured with limited values on domain controllers.<VulnDiscussion>Named pipes that can be accessed anonymously provide the potential for gaining unauthorized system access. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51138V-3338CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Named pipes that can be accessed anonymously" to only include "netlogon, samr, lsarpc".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionPipes + +Value Type: REG_MULTI_SZ +Value: netlogon, samr, lsarpc + +The default configuration of systems promoted to domain controllers may include a blank entry in the first line prior to "netlogon", "samr", and "lsarpc". This will appear in the registry as a blank entry when viewing the registry key summary; however the value data for "NullSessionPipes" will contain the default entries. + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000056Unauthorized remotely accessible registry paths must not be configured.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths are accessible from a remote computer. These registry paths must be limited, as they could give unauthorized individuals access to the registry.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52883V-3339CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Remotely accessible registry paths" with the following entries: + +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications +Software\Microsoft\Windows NT\CurrentVersionIf the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +System\CurrentControlSet\Control\ProductOptions +System\CurrentControlSet\Control\Server Applications +Software\Microsoft\Windows NT\CurrentVersion + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000057Unauthorized remotely accessible registry paths and sub-paths must not be configured.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths and sub-paths are accessible from a remote computer. These registry paths must be limited, as they could give unauthorized individuals access to the registry.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4443SV-52931CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Remotely accessible registry paths and sub-paths" with the following entries: + +Software\Microsoft\OLAP Server +Software\Microsoft\Windows NT\CurrentVersion\Perflib +Software\Microsoft\Windows NT\CurrentVersion\Print +Software\Microsoft\Windows NT\CurrentVersion\Windows +System\CurrentControlSet\Control\ContentIndex +System\CurrentControlSet\Control\Print\Printers +System\CurrentControlSet\Control\Terminal Server +System\CurrentControlSet\Control\Terminal Server\UserConfig +System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration +System\CurrentControlSet\Services\Eventlog +System\CurrentControlSet\Services\SysmonlogIf the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ + +Value Name: Machine + +Value Type: REG_MULTI_SZ +Value: see below + +Software\Microsoft\OLAP Server +Software\Microsoft\Windows NT\CurrentVersion\Perflib +Software\Microsoft\Windows NT\CurrentVersion\Print +Software\Microsoft\Windows NT\CurrentVersion\Windows +System\CurrentControlSet\Control\ContentIndex +System\CurrentControlSet\Control\Print\Printers +System\CurrentControlSet\Control\Terminal Server +System\CurrentControlSet\Control\Terminal Server\UserConfig +System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration +System\CurrentControlSet\Services\Eventlog +System\CurrentControlSet\Services\Sysmonlog + +Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000058Anonymous access to Named Pipes and Shares must be restricted.<VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52937V-6834CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RestrictNullSessAccess + +Value Type: REG_DWORD +Value: 1SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000059Network shares that can be accessed anonymously must not be allowed.<VulnDiscussion>Anonymous access to network shares provides the potential for gaining unauthorized system access by network users. This could lead to the exposure or corruption of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3340SV-52884CCI-001090Ensure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Shares that can be accessed anonymously" contains no entries (blank).If the following registry value does not exist, this is not a finding: + +If the following registry value does exist and is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: NullSessionShares + +Value Type: REG_MULTI_SZ +Value: (Blank)SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN12-SO-000060The system must be configured to use the Classic security model.<VulnDiscussion>Windows includes two network-sharing security models - Classic and Guest only. With the Classic model, local accounts must be password protected; otherwise, anyone can use guest user accounts to access shared system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3378SV-52891CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: ForceGuest + +Value Type: REG_DWORD +Value: 0SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>WN12-SO-000061Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.<VulnDiscussion>Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously vs. using the computer identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21951SV-53176CCI-000778Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\ + +Value Name: UseMachineId + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000062NTLM must be prevented from falling back to a Null session.<VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-21952SV-53177CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ + +Value Name: allownullsessionfallback + +Type: REG_DWORD +Value: 0SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000063PKU2U authentication using online identities must be prevented.<VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53178V-21953CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ + +Value Name: AllowOnlineID + +Type: REG_DWORD +Value: 0SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>WN12-SO-000064Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.<VulnDiscussion>Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. + +Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53179V-21954CCI-000803Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: + +AES128_HMAC_SHA1 +AES256_HMAC_SHA1 +Future encryption types + +Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ + +Value Name: SupportedEncryptionTypes + +Value Type: REG_DWORD +Value: 0x7ffffff8 (2147483640) + +Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>WN12-SO-000065The system must be configured to prevent the storage of the LAN Manager hash of passwords.<VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3379SV-52892CCI-000196Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: NoLMHash + +Value Type: REG_DWORD +Value: 1SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>WN12-SO-000066The system must be configured to force users to log off when their allowed logon hours expire.<VulnDiscussion>Limiting logon hours can help protect data by only allowing access during specified times. This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, this must be enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3380SV-52893CCI-001133Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Force logoff when logon hours expire" to "Enabled".Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. + +If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000067The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.<VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to stand-alone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1153SV-52865CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\ + +Value Name: LmCompatibilityLevel + +Value Type: REG_DWORD +Value: 5SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000068The system must be configured to the required LDAP client signing level.<VulnDiscussion>This setting controls the signing requirements for LDAP clients. This setting must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3381SV-52894CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\LDAP\ + +Value Name: LDAPClientIntegrity + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000069The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3382SV-52895CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinClientSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000070The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3666SV-52922CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000073The shutdown option must not be available from the logon dialog box.<VulnDiscussion>Displaying the shutdown button may allow individuals to shut down a system anonymously. Only authenticated users should be allowed to shut down the system. Preventing display of this button in the logon dialog box ensures that individuals who shut down the system are authorized and tracked in the system's Security event log.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1075SV-52840CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Shutdown: Allow system to be shutdown without having to log on" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ShutdownWithoutLogon + +Value Type: REG_DWORD +Value: 0SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>WN12-SO-000074The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.<VulnDiscussion>This setting ensures that the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52896V-3383CCI-002450Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ + +Value Name: Enabled + +Value Type: REG_DWORD +Value: 1 + +Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000075The system must be configured to require case insensitivity for non-Windows subsystems.<VulnDiscussion>This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that must be restricted. To prevent this from happening, case insensitivity restrictions must be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-3385SV-52897CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System objects: Require case insensitivity for non-Windows subsystems" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ + +Value Name: ObCaseInsensitive + +Value Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000076The default permissions of global system objects must be increased.<VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing nonadministrative users to read shared objects, but not modify shared objects that they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52877V-1173CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\ + +Value Name: ProtectionMode + +Value Type: REG_DWORD +Value: 1SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN12-SO-000077User Account Control approval mode for the built-in Administrator must be enabled.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode. + +Satisfies: SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52946V-14234CCI-002038UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: FilterAdministratorToken + +Value Type: REG_DWORD +Value: 1SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000078User Account Control must, at minimum, prompt administrators for consent.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14235SV-52947CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent". + +More secure options for this setting would also be acceptable (e.g., Prompt for credentials, Prompt for consent (or credentials) on the secure desktop).UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 4 (Prompt for consent) +3 (Prompt for credentials) +2 (Prompt for consent on the secure desktop) +1 (Prompt for credentials on the secure desktop)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN12-SO-000079User Account Control must automatically deny standard user requests for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account. + +Satisfies: SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14236SV-52948CCI-002038UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorUser + +Value Type: REG_DWORD +Value: 0SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000080User Account Control must be configured to detect application installations and prompt for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52949V-14237CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 1SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000081Windows must elevate all applications in User Account Control, not just signed ones.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures whether Windows elevates all applications, or only signed ones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-16008SV-53142CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate executables that are signed and validated" to "Disabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ValidateAdminCodeSignatures + +Value Type: REG_DWORD +Value: 0SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000082User Account Control must only elevate UIAccess applications that are installed in secure locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14239SV-52950CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 1SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN12-SO-000083User Account Control must run all administrators in Admin Approval Mode, enabling UAC.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. + +Satisfies: SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14240SV-52951CCI-002038UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableLUA + +Value Type: REG_DWORD +Value: 1SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000084User Account Control must switch to the secure desktop when prompting for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting ensures that the elevation prompt is only used in secure desktop mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52952V-14241CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Switch to the secure desktop when prompting for elevation" to "Enabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: PromptOnSecureDesktop + +Value Type: REG_DWORD +Value: 1SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000085User Account Control must virtualize file and registry write failures to per-user locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52953V-14242CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableVirtualization + +Value Type: REG_DWORD +Value: 1SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN12-SO-000086UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52223V-15991CCI-001084UAC requirements are NA on Server Core installations. + +Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled".UAC requirements are NA on Server Core installations. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD +Value: 0SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-SO-000088Optional Subsystems must not be permitted to operate on the system.<VulnDiscussion>The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX Subsystem is required if the server supports applications that use that subsystem. The subsystem introduces a security risk relating to processes that can potentially persist across logins. That is, if a user starts a process and then logs out, there is a potential that the next user who logs in to the system could access the previous users process. This is dangerous because the process started by the first user may retain that users system privileges, and anything the second user does with that process will be performed with the privileges of the first user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4445SV-52219CCI-000381Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System settings: Optional subsystems" to "Blank" (Configured with no entries).If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ + +Value Name: Optional + +Value Type: REG_MULTI_SZ +Value: (Blank)SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-SO-000089The print driver installation privilege must be restricted to administrators.<VulnDiscussion>Allowing users to install drivers can introduce malware or cause the instability of a system. Print driver installation should be restricted to administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1151SV-52214CCI-001812Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Prevent users from installing printer drivers" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ + +Value Name: AddPrinterDrivers + +Value Type: REG_DWORD +Value: 1SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN12-SO-000090-DCDomain controllers must require LDAP access signing.<VulnDiscussion>Unsigned network traffic is susceptible to man in the middle attacks where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. You can lower the risk of an attacker pulling this off in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPSec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man in the middle attacks extremely difficult.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4407SV-51140CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain controller: LDAP server signing requirements" to "Require signing".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\NTDS\Parameters\ + +Value Name: LDAPServerIntegrity + +Value Type: REG_DWORD +Value: 2SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SO-000091-DCDomain controllers must be configured to allow reset of machine account passwords.<VulnDiscussion>Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-4408SV-51141CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain controller: Refuse machine account password changes" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RefusePasswordChange + +Value Type: REG_DWORD +Value: 0SRG-OS-000067-GPOS-00035<GroupDescription></GroupDescription>WN12-SO-000092Users must be required to enter a password to access private keys stored on the computer.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. + +The cornerstone of the PKI is the private key used to encrypt or digitally sign information. + +If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. + +Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-72049V-57639CCI-000186Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ + +Value Name: ForceKeyProtection + +Type: REG_DWORD +Value: 2SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-SV-000100The Fax service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26600SV-52236CCI-000381Remove or disable the Fax (fax) service.Verify the Fax (fax) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Fax (fax)SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>WN12-SV-000101The Microsoft FTP service must not be installed unless required.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26602SV-52237CCI-000382Remove or disable the "Microsoft FTP Service" (Service name: FTPSVC). + +To remove the "FTP Server" role from a system: +Start "Server Manager" +Select the server with the "FTP Server" role. +Scroll down to "ROLES AND FEATURES" in the left pane. +Select "Remove Roles and Features" from the drop down "TASKS" list. +Select the appropriate server on the "Server Selection" page, click "Next". +De-select "FTP Server" under "Web Server (IIS). +Click "Next" and "Remove" as prompted.If the server has the role of an FTP server, this is NA. + +Run "Services.msc". + +If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-SV-000103The Peer Networking Identity Manager service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26604SV-52238CCI-000381Remove or disable the Peer Networking Identity Manager (p2pimsvc) service.Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Peer Networking Identity Manager (p2pimsvc)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-SV-000104The Simple TCP/IP Services service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52239V-26605CCI-000381Remove or disable the Simple TCP/IP Services (simptcp) service.Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Simple TCP/IP Services (simptcp)SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>WN12-SV-000105The Telnet service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26606SV-52240CCI-000382Remove or disable the Telnet (tlntsvr) service.Verify the Telnet (tlntsvr) service is not installed or is disabled. + +Run "Services.msc". + +If the following is installed and not disabled, this is a finding: + +Telnet (tlntsvr)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-SV-000106The Smart Card Removal Policy service must be configured to automatic.<VulnDiscussion>The automatic start of the Smart Card Removal Policy service is required to support the smart card removal behavior requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52165V-40206CCI-000366Configure the Startup Type for the Smart Card Removal Policy service to "Automatic".Verify the Smart Card Removal Policy service is configured to "Automatic". + +Run "Services.msc". + +If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding.SRG-OS-000031-GPOS-00012<GroupDescription></GroupDescription>WN12-UC-000001A screen saver must be enabled on the system.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36656SV-51758CCI-000060Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Enable screen saver" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaveActive + +Type: REG_SZ +Value: 1 + +Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: + +-The logon session does not have administrator rights. +-The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>WN12-UC-000003The screen saver must be password protected.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-36657SV-51760CCI-000056Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Password protect the screen saver" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ + +Value Name: ScreenSaverIsSecure + +Type: REG_SZ +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-UC-000005Notifications from Windows Push Network Service must be turned off.<VulnDiscussion>The Windows Push Notification Service (WNS) allows third-party vendors to send updates for toasts, tiles, and badges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51762V-36776CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Notifications -> "Turn off notifications network usage" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoCloudApplicationNotification + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-UC-000006Toast notifications to the lock screen must be turned off.<VulnDiscussion>Toast notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51763V-36777CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Notifications -> "Turn off toast notifications on the lock screen" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ + +Value Name: NoToastApplicationNotificationOnLockScreen + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-UC-000007The Windows Help Experience Improvement Program must be disabled.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting ensures the Windows Help Experience Improvement Program is disabled to prevent information from being passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-16021SV-53144CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Experience Improvement Program" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoImplicitFeedback + +Type: REG_DWORD +Value: 1SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN12-UC-000008Windows Help Ratings feedback must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. +This setting ensures users cannot provide ratings feedback to Microsoft for Help content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-16048SV-53145CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Ratings" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ + +Value Name: NoExplicitFeedback + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-UC-000009Zone information must be preserved when saving attachments.<VulnDiscussion>Preserving zone of origin (internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-14268SV-53002CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Do not preserve zone information in file attachments" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation + +Type: REG_DWORD +Value: 2SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-UC-000010Mechanisms for removing zone information from file attachments must be hidden.<VulnDiscussion>Preserving zone of origin (internet, intranet, local, restricted) information on file attachments allows Windows to determine risk. This setting prevents users from manually removing zone information from saved file attachments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53004V-14269CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Hide mechanisms to remove zone information" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: HideZoneInfoOnProperties + +Type: REG_DWORD +Value: 1SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN12-UC-000011The system must notify antivirus when file attachments are opened.<VulnDiscussion>Attaching malicious files is a known avenue of attack. This setting configures the system to notify antivirus programs when a user opens a file attachment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53006V-14270CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Notify antivirus programs when opening attachments" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: ScanWithAntiVirus + +Type: REG_DWORD +Value: 3SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>WN12-UC-000012Users must be prevented from sharing files in their profiles.<VulnDiscussion>Allowing users to share files in their profiles may provide unauthorized access or result in the exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53140V-15727CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Network Sharing -> "Prevent users from sharing files within their profile" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoInPlaceSharing + +Type: REG_DWORD +Value: 1SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN12-UC-000013Media Player must be configured to prevent automatic Codec downloads.<VulnDiscussion>The Windows Media Player uses software components, referred to as Codecs, to play back media files. By default, when an unknown file type is opened with the Media Player, it will search the Internet for the appropriate Codec and automatically download it. To ensure platform consistency and to protect against new vulnerabilities associated with media types, all Codecs must be installed by the System Administrator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52921V-3481CCI-001812Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> Playback -> "Prevent Codec Download" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ + +Value Name: PreventCodecDownload + +Type: REG_DWORD +Value: 1SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000001The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53120V-26469CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000002-DCUnauthorized accounts must not have the Access this computer from the network user right on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Access this computer from the network" right may access resources on the system and should be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26470SV-51142CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Access this computer from the network" to only include the following accounts or groups: + +Administrators +Authenticated Users +Enterprise Domain ControllersVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding: + +Administrators +Authenticated Users +Enterprise Domain ControllersSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000003The Act as part of the operating system user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1102SV-52108CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000005The Allow log on locally user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26472SV-52110CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: + +Administrators + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000007The Back up files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26474SV-52111CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: + +Administrators + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000011The Create a pagefile user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53063V-26478CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000012The Create a token object user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52113V-26479CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Create a token object" user right, this is a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000013The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52114V-26480CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to only include the following accounts or groups: + +Administrators +Service +Local Service +Network ServiceVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000014The Create permanent shared objects user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26481SV-53059CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000015The Create symbolic links user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create symbolic links" user right can create pointers to other objects, which could potentially expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26482SV-53054CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to only include the following accounts or groups: + +Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: + +Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000016The Debug programs user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52115V-18010CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: + +Administrators + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000017-DCThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-1155SV-51144CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny access to this computer from the network" to include the following: + +Guests GroupVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: + +Guests GroupSRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000018-DCThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. + +The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26483SV-51145CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a batch job" to include the following: + +Guests GroupVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: + +Guests GroupSRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000019-DCThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on as a service" user right defines accounts that are denied log on as a service. + +Incorrect configurations could prevent services from starting and result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26484SV-51146CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a service" to include no entries (blank).Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000020-DCThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26485SV-51147CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on locally" to include the following: + +Guests GroupVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: + +Guests GroupSRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000021-DCThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26486SV-51148CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on through Remote Desktop Services" to include the following: + +Guests GroupVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: + +Guests GroupSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000022-DCUnauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could potentially allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51149V-26487CCI-002235Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Enable computer and user accounts to be trusted for delegation" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000023The Force shutdown from a remote system user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system, which could result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53050V-26488CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000024The Generate security audits user right must only be assigned to Local Service and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Generate security audits" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52116V-26489CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to only include the following accounts or groups: + +Local Service +Network ServiceVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: + +Local Service +Network Service + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000025The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Impersonate a client after authentication" user right allows a program to impersonate another user or account to run on their behalf. An attacker could potentially use this to elevate privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52117V-26490CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to only include the following accounts or groups: + +Administrators +Service +Local Service +Network ServiceVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: + +Administrators +Service +Local Service +Network Service + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000027The Increase scheduling priority user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Increase scheduling priority" user right can change a scheduling priority causing performance issues or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26492SV-52118CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: + +Administrators + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000028The Load and unload device drivers user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Load and unload device drivers" user right allows device drivers to dynamically be loaded on a system by a user. This could potentially be used to install malicious code by an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26493SV-53043CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000029The Lock pages in memory user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26494SV-52119CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN12-UR-000032The Manage auditing and security log user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53039V-26496CCI-000162CCI-000163CCI-000164CCI-000171CCI-001914Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: + +Administrators + +If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000034The Modify firmware environment values user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Modify firmware environment values" user right can change hardware configuration environment variables. This could result in hardware failures or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53029V-26498CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to only include the following accounts or groups: + +Administrators +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000035The Perform volume maintenance tasks user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. They could potentially delete volumes, resulting in data loss or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-53025V-26499CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000036The Profile single process user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Profile single process" user right can monitor nonsystem processes performance. An attacker could potentially use this to identify processes to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26500SV-53022CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: + +AdministratorsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000040The Restore files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to overwrite more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26504SV-52122CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: + +Administrators + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000042The Take ownership of files or other objects user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-52123V-26506CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: + +Administrators + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN12-UR-000044-DCUnauthorized accounts must not have the Add workstations to domain user right.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Add workstations to domain" right may add computers to a domain. This could result in unapproved or incorrectly configured systems being added to a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217SV-51143V-30016CCI-002235Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Add workstations to domain" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding: + +AdministratorsSRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN12-UR-000006-DCThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Allow log on through Remote Desktop Services" user right can access a system through Remote Desktop.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2012-2012 R2 Domain ControllerDISADPMS TargetWindows Server 2012-2012 R2 Domain Controller4217V-26473SV-53119CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to only include the following accounts or groups: + +AdministratorsVerify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: + +Administrators diff --git a/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_STIG_V2R17_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_STIG_V2R17_Manual-xccdf.log deleted file mode 100644 index 4db1c0f5f..000000000 --- a/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_STIG_V2R17_Manual-xccdf.log +++ /dev/null @@ -1,9 +0,0 @@ -V-2372::"Store password using reversible encryption"::"Store passwords using reversible encryption" -V-6836::"Minimum password length,"::"Minimum password length" -V-6840::*::HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = $true; Operator = '-eq'; Property = 'PasswordExpires'; Query = "SELECT * FROM Win32_UserAccount WHERE Disabled=$false AND LocalAccount=$true"} -V-7002::*::HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = $true; Operator = '-eq'; Property = 'PasswordRequired'; Query = "SELECT * FROM Win32_UserAccount WHERE Disabled=$false AND LocalAccount=$true"} -V-36707::Value: 0x00000001 (1) ::Value: 1 Or 2 -V-36736::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Certificate Revocation Checking service information'} -V-42420::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Firewall service information'} -V-80473::*::HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = '6.3.9600.17415'; Operator = '-ge'; Property = 'Version'; Query = "SELECT * FROM CIM_Datafile WHERE FileName='powershell' AND Path LIKE '%\\Windows\\System32\\WindowsPowerShell\\v1.0\\%' AND Extension='exe'"} -V-80475::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ diff --git a/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_STIG_V2R17_Manual-xccdf.xml b/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_STIG_V2R17_Manual-xccdf.xml deleted file mode 100644 index 37ce6d1e6..000000000 --- a/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_STIG_V2R17_Manual-xccdf.xml +++ /dev/null @@ -1,4088 +0,0 @@ -acceptedWindows Server 2012/2012 R2 Member Server Security Technical Implementation GuideThe Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.Developed_by_DISA_for_the_DoDDISASTIG.DOD.MILRelease: 17 Benchmark Date: 25 Oct 20192I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>Physical security<GroupDescription></GroupDescription>WN12-00-000001Server systems must be located in a controlled access area, accessible only to authorized personnel.<VulnDiscussion>Inadequate physical protection can undermine all other security precautions utilized to protect the system. This can jeopardize the confidentiality, availability, and integrity of the system. Physical security is the first line of protection of any system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Ensure servers are located in secure, access-controlled areas.Verify servers are located in controlled access areas that are accessible only to authorized personnel. If systems are not adequately protected, this is a finding.Shared User Accounts<GroupDescription></GroupDescription>WN12-00-000012Shared user accounts must not be permitted on the system.<VulnDiscussion>Shared accounts (accounts where two or more people log in with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000764Remove unapproved shared accounts from the system. - -Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.Determine whether any shared accounts exist. If no shared accounts exist, this is NA. - -Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. - -If unapproved shared accounts exist, this is a finding.Unsupported Service Packs<GroupDescription></GroupDescription>WN12-GE-000001Systems must be maintained at a supported service pack level.<VulnDiscussion>Systems at unsupported service packs or releases will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a service pack level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Update the system to a supported release or service pack level.Run "winver.exe". - -If the "About Windows" dialog box does not display -"Microsoft Windows Server -Version 6.2 (Build 9200)" -or greater, this is a finding. - -No preview versions will be used in a production environment. - -Unsupported Service Packs/Releases: -Windows 2012 - any release candidates or versions prior to the initial release.WIN00-000100<GroupDescription></GroupDescription>WN12-00-000100The Windows 2012 / 2012 R2 system must use an anti-virus program.<VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Install an anti-virus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. - -If there is no anti-virus solution installed on the system, this is a finding.Display Shutdown Button<GroupDescription></GroupDescription>WN12-SO-000073The shutdown option must not be available from the logon dialog box.<VulnDiscussion>Displaying the shutdown button may allow individuals to shut down a system anonymously. Only authenticated users should be allowed to shut down the system. Preventing display of this button in the logon dialog box ensures that individuals who shut down the system are authorized and tracked in the system's Security event log.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25100-9CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Shutdown: Allow system to be shutdown without having to log on" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: ShutdownWithoutLogon - -Value Type: REG_DWORD -Value: 0System Recovery Backups<GroupDescription></GroupDescription>WN12-00-000014System-level information must be backed up in accordance with local recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. - -System-level information includes system-state information, operating system and application software, and licenses. - -Backups must be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Implement system-level information backups in accordance with local recovery time and recovery point objectives.Determine whether system-level information is backed up in accordance with local recovery time and recovery point objectives. If system-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.NTFS Requirement<GroupDescription></GroupDescription>WN12-GE-000005Local volumes must use a format that supports NTFS attributes.<VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, local volumes must be formatted using a file system that supports NTFS attributes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000213Format local volumes to use NTFS or ReFS.Open "Computer Management". - -Select "Disk Management" under "Storage". - -For each local volume, if the file system does not indicate "NTFS", this is a finding. - -"ReFS" (Resilient File System) is also acceptable and would not be a finding. - -This does not apply to system partitions such as the Recovery and EFI System Partition.Legal Notice Display<GroupDescription></GroupDescription>WN12-SO-000022The required legal notice must be configured to display before console logon.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25355-9CCI-000048CCI-000050CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: - -You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LegalNoticeText - -Value Type: REG_SZ -Value: See message text below - -You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.Caching of logon credentials<GroupDescription></GroupDescription>WN12-SO-000024Caching of logon credentials must be limited.<VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well-protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24264-4CCI-000366If the system is not a member of a domain, this is NA. - -Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less.If the system is not a member of a domain, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: CachedLogonsCount - -Value Type: REG_SZ -Value: 4 (or less)Anonymous shares are not restricted<GroupDescription></GroupDescription>WN12-SO-000052Anonymous enumeration of shares must be restricted.<VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24774-2CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: RestrictAnonymous - -Value Type: REG_DWORD -Value: 1Bad Logon Attempts<GroupDescription></GroupDescription>WN12-AC-000002The number of allowed bad logon attempts must meet minimum requirements.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack, while allowing for honest errors made during a normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23909-5CCI-000044Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> "Account lockout threshold" to "3" or less invalid logon attempts (excluding "0" which is unacceptable).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy. - -If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding.Bad Logon Counter Reset<GroupDescription></GroupDescription>WN12-AC-000003The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24840-1CCI-000044CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.Lockout Duration<GroupDescription></GroupDescription>WN12-AC-000001Windows 2012 account lockout duration must be configured to 15 minutes or greater.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24768-4CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. - -A value of "0" is also acceptable, requiring an administrator to unlock the account.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. - -Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.User Right - Act as part of OS<GroupDescription></GroupDescription>WN12-UR-000003The Act as part of the operating system user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25043-1CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Maximum Password Age <GroupDescription></GroupDescription>WN12-AC-000005The maximum password age must meet requirements.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24535-7CCI-000199Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Maximum password age" to "60" days or less (excluding "0" which is unacceptable).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. - -If the value for the "Maximum password age" is greater than "60" days, this is a finding. If the value is set to "0" (never expires), this is a finding.Minimum Password Age<GroupDescription></GroupDescription>WN12-AC-000006The minimum password age must meet requirements.<VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24018-4CCI-000198Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password age" to at least "1" day.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. - -If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately."), this is a finding.Password Uniqueness<GroupDescription></GroupDescription>WN12-AC-000004The password history must be configured to 24 passwords remembered.<VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is 24 for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24644-7CCI-000200Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.Dormant Accounts<GroupDescription></GroupDescription>WN12-GE-000014Outdated or unused accounts must be removed from the system or disabled.<VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000795Regularly review accounts to determine if they are still active. Disable or delete any active accounts that have not been used in the last 35 days.Run "PowerShell". - -Member servers and standalone systems: -Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) - -"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { - $user = ([ADSI]$_.Path) - $lastLogin = $user.Properties.LastLogin.Value - $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 - if ($lastLogin -eq $null) { - $lastLogin = 'Never' - } - Write-Host $user.Name $lastLogin $enabled -}" - -This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). -For example: User1 10/31/2015 5:49:56 AM True - -Domain Controllers: -Enter the following command in PowerShell. -"Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" - -This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. - -Review the list of accounts returned by the above queries to determine the finding validity for each account reported. - -Exclude the following accounts: -Built-in administrator account (Renamed, SID ending in 500) -Built-in guest account (Renamed, Disabled, SID ending in 501) -Application accounts - -If any enabled accounts have not been logged on to within the past 35 days, this is a finding. - -Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.Disable Guest Account<GroupDescription></GroupDescription>WN12-SO-000003The built-in guest account must be disabled.<VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24387-3CCI-000804Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Guest account status" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - -If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.Rename Built-in Guest Account<GroupDescription></GroupDescription>WN12-SO-000006The built-in guest account must be renamed.<VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23675-2CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename guest account" to a name other than "Guest".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - -If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.Rename Built-in Administrator Account<GroupDescription></GroupDescription>WN12-SO-000005The built-in administrator account must be renamed.<VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23836-0CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename administrator account" to a name other than "Administrator".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - -If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.Booting into Multiple Operating Systems<GroupDescription></GroupDescription>WN12-GE-000010The system must not boot into multiple operating systems (dual-boot).<VulnDiscussion>Allowing a system to boot into multiple operating systems (dual-booting) may allow security to be circumvented on a secure system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Ensure Windows Server 2012 is the only operating system installed for the system to boot into. Remove alternate operating systems.Verify the local system boots directly into Windows. - -Open Control Panel. -Select "System". -Select the "Advanced System Settings" link. -Select the "Advanced" tab. -Click the "Startup and Recovery" Settings button. - -If the drop-down list box "Default operating system:" shows any operating system other than Windows Server 2012, this is a finding.Prohibited FTP Logins<GroupDescription></GroupDescription>WN12-GE-000026File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.<VulnDiscussion>The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. - -Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Configure the FTP service to prevent anonymous logons.If FTP is not installed on the system, this is NA. - -Determine the IP address and port number assigned to FTP sites from documentation or configuration. - -If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". - -Select "Sites" under the server name. - -For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. - -Open a "Command Prompt". - -Attempt to log on as the user "anonymous" with the following commands: - -Note: Returned results may vary depending on the FTP server software. - -C:\> "ftp" -ftp> "Open IP Address Port" -(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) -(Connected to IP Address -220 Microsoft FTP Service) - -User (IP Address): "anonymous" -(331 Anonymous access allowed, send identity (e-mail name) as password.) - -Password: "password" -(230 User logged in.) -ftp> - -If the response indicates that an anonymous FTP login was permitted, this is a finding. - -If accounts with administrator privileges are used to access FTP, this is a CAT I finding.FTP System File Access<GroupDescription></GroupDescription>WN12-GE-000027File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.<VulnDiscussion>The FTP service allows remote users to access shared files and directories. Access outside of the specific directories of shared data could provide access to system resources and compromise the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Configure the system to only allow FTP access to specific folders containing the data to be available through the service.If FTP is not installed on the system, this is NA. - -Determine the IP address and port number assigned to FTP sites from documentation or configuration. - -If Microsoft FTP is used, open "Internet Information Services (IIS) Manager". - -Select "Sites" under the server name. - -For any sites that reference FTP, view the Binding information for IP address and port. The standard port for FTP is 21, however this may be changed. - -Open a "Command Prompt". - -Access the FTP site and review accessible directories with the following commands: - -Note: Returned results may vary depending on the FTP server software. - -C:\> "ftp" -ftp> "Open IP Address Port" -(Substituting [IP Address] and [Port] with the information previously identified. If no IP Address was listed in the Binding, attempt using "localhost".) -(Connected to IP Address -220 Microsoft FTP Service) - -User (IP Address): "FTP User" -(Substituting [FTP User] with an account identified that is allowed access. If it was determined that anonymous access was allowed to the site [see V-1120], also review access using "anonymous".) - (331 Password required) - -Password: "Password" -(Substituting [Password] with password for the account attempting access.) -(230 User ftpuser logged in.) - -ftp> "Dir" - -If the FTP session indicates access to areas of the system other than the specific folder for FTP data, such as the root of the drive, Program Files or Windows directories, this is a finding.Restricted Administrator Group Membership<GroupDescription></GroupDescription>WN12-GE-000004-MSOnly administrators responsible for the member server must have Administrator rights on the system.<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. - -System administrators must log on to systems only using accounts with the minimum level of authority necessary. - -For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (see V-36433 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks. - -Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002235Configure the system to include only administrator groups or accounts that are responsible for the system in the local Administrators group. - -For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. - -Remove any standard user accounts.Review the local Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. - -For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. - -Standard user accounts must not be members of the local Administrator group. - -If prohibited accounts are members of the local Administrators group, this is a finding. - -The built-in Administrator account or other required administrative accounts would not be a finding.Security Configuration Tools<GroupDescription></GroupDescription>WN12-00-000013Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.<VulnDiscussion>Security configuration tools such as Group Policies and Security Templates allow system administrators to consolidate security-related system settings into a single configuration file. These settings can then be applied consistently to any number of Windows machines.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Implement a process using security configuration tools or the equivalent to configure Windows systems to meet security requirements.Verify security configuration tools or equivalent processes are being used to configure Windows systems to meet security requirements. If security configuration tools or equivalent processes are not used, this is a finding. - -Security configuration tools that are integrated into Windows, such as Group Policies and Security Templates, may be used to configure platforms for security compliance. - -If an alternate method is used to configure a system (e.g., manually using the DISA Windows Security STIGs, etc.) and the same configured result is achieved, this is acceptable.Printer Share Permissions<GroupDescription></GroupDescription>WN12-GE-000012Nonadministrative user accounts or groups must only have print permissions on printer shares.<VulnDiscussion>Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000213Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.Open "Devices and Printers" in Control Panel or through Search. -If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) - -For each configured printer: -Right click on the printer. -Select "Printer Properties". -Select the "Sharing" tab. -View whether "Share this printer" is checked. - -For any printers with "Share this printer" selected: -Select the Security tab. - -If any standard user accounts or groups have permissions other than "Print", this is a finding. -Standard users will typically be given "Print" permission through the Everyone group. -"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.Forcibly Disconnect when Logon Hours Expire<GroupDescription></GroupDescription>WN12-SO-000034Users must be forcibly disconnected when their logon hours expire.<VulnDiscussion>Users must not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. Forcibly disconnecting users when logon hours expire protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24148-9CCI-001133Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Disconnect clients when logon hours expire" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: EnableForcedLogoff - -Value Type: REG_DWORD -Value: 1Unencrypted Password is Sent to SMB Server.<GroupDescription></GroupDescription>WN12-SO-000030Unencrypted passwords must not be sent to third-party SMB Servers.<VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the vendor of the SMB server to see if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24751-0CCI-000197Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ - -Value Name: EnablePlainTextPassword - -Value Type: REG_DWORD -Value: 0Disable Automatic Logon<GroupDescription></GroupDescription>WN12-SO-000036Automatic logons must be disabled.<VulnDiscussion>Allowing a system to automatically log on when the machine is booted could give access to any unauthorized individual who restarts the computer. Automatic logon with administrator privileges would give full access to an unauthorized individual.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>If the DefaultName or DefaultDomainName in the same registry path contain an administrator account name and the DefaultPassword contains a value, this is a CAT I finding.</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24927-6CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" to "Disabled". - -Ensure no passwords are stored in the "DefaultPassword" registry value noted below: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: DefaultPassword - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: AutoAdminLogon - -Type: REG_SZ -Value: 0Microsoft Strong Password Filtering<GroupDescription></GroupDescription>WN12-AC-000008The built-in Windows password complexity policy must be enabled.<VulnDiscussion>The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least 3 of the 4 types of characters (numbers, upper- and lower-case letters, and special characters), as well as preventing the inclusion of user names or parts of.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25602-4CCI-000192CCI-000193CCI-000194CCI-001619Configure the policy value for Computer Configuration >> Windows Settings -> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. - -Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.Secure Print Driver Installation<GroupDescription></GroupDescription>WN12-SO-000089The print driver installation privilege must be restricted to administrators.<VulnDiscussion>Allowing users to install drivers can introduce malware or cause the instability of a system. Print driver installation should be restricted to administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25176-9CCI-001812Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Prevent users from installing printer drivers" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\ - -Value Name: AddPrinterDrivers - -Value Type: REG_DWORD -Value: 1Anonymous Access to the Registry<GroupDescription></GroupDescription>WN12-RG-000004Anonymous access to the registry must be restricted.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Some processes may require anonymous access to the registry. This must be limited to properly protect the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002235Maintain permissions at least as restrictive as the defaults listed below for the "winreg" registry key. It is recommended to not change the permissions from the defaults. - -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ - -The following are the same for each permission listed: -Type - Allow -Inherited from - None - -Columns: Principal - Access - Applies to -Administrators - Full Control - This key and subkeys -Backup Operators - Read - This key only -LOCAL SERVICE - Read - This key and subkeysRun "Regedit". -Navigate to the following registry key: -HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\ - -If the key does not exist, this is a finding. - -Right-click on "winreg" and select "Permissions…". -Select "Advanced". - -If the permissions are not as restrictive as the defaults listed below, this is a finding. - -The following are the same for each permission listed: -Type - Allow -Inherited from - None - -Columns: Principal - Access - Applies to -Administrators - Full Control - This key and subkeys -Backup Operators - Read - This key only -LOCAL SERVICE - Read - This key and subkeysLanMan Authentication Level<GroupDescription></GroupDescription>WN12-SO-000067The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.<VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to stand-alone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24650-4CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: LmCompatibilityLevel - -Value Type: REG_DWORD -Value: 5Ctrl+Alt+Del Security Attention Sequence<GroupDescription></GroupDescription>WN12-SO-000019The Ctrl+Alt+Del security attention sequence for logons must be enabled.<VulnDiscussion>Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, a user can be assured that any passwords entered following that sequence are sent only to Windows. If the sequence requirement is eliminated, malicious programs can request and receive a user's Windows password. Disabling this sequence also suppresses a custom logon banner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25803-8CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Do not require CTRL+ALT+DEL" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: DisableCAD - -Value Type: REG_DWORD -Value: 0Deny Access from the Network<GroupDescription></GroupDescription>WN12-UR-000017-MSThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. - -Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24188-5CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -"Local account and member of Administrators group" or "Local account" (see Note below) - -All Systems: -Guests group - -Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering. -Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding: - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -"Local account and member of Administrators group" or "Local account" (see Note below) - -All Systems: -Guests group - -Note: Windows Server 2012 R2 added new built-in security groups, "Local account" and "Local account and member of Administrators group". "Local account" is more restrictive but may cause issues on servers such as systems that provide Failover Clustering. -Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.Smart Card Removal Option <GroupDescription></GroupDescription>WN12-SO-000027The Smart Card removal option must be configured to Force Logoff or Lock Workstation.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24154-7CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: SCRemoveOption - -Value Type: REG_SZ -Value: 1 (Lock Workstation) or 2 (Force Logoff) - -If configuring this on servers causes issues such as terminating users' remote sessions and the site has a policy in place that any other sessions on the servers such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.SMB Server Packet Signing (if client agrees)<GroupDescription></GroupDescription>WN12-SO-000033The Windows SMB server must perform SMB packet signing when possible.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24354-3CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: EnableSecuritySignature - -Value Type: REG_DWORD -Value: 1Encryption of Secure Channel Traffic<GroupDescription></GroupDescription>WN12-SO-000013Outgoing secure channel traffic must be encrypted when possible.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24414-5CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: SealSecureChannel - -Value Type: REG_DWORD -Value: 1 - -If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).Signing of Secure Channel Traffic<GroupDescription></GroupDescription>WN12-SO-000014Outgoing secure channel traffic must be signed when possible.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24812-0CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: SignSecureChannel - -Value Type: REG_DWORD -Value: 1 - -If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this can be NA (see V-6831).Computer Account Password Reset<GroupDescription></GroupDescription>WN12-SO-000015The computer account password must not be prevented from being reset.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24243-8CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Disable machine account password changes" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: DisablePasswordChange - -Value Type: REG_DWORD -Value: 0SMB Client Packet Signing (if server agrees)<GroupDescription></GroupDescription>WN12-SO-000029The Windows SMB client must be enabled to perform SMB packet signing when possible.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24740-3CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ - -Value Name: EnableSecuritySignature - -Value Type: REG_DWORD -Value: 1Members of the Backup Operators Group<GroupDescription></GroupDescription>WN12-00-000009-01Members of the Backup Operators group must be documented.<VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Visibility of members of the Backup Operators group must be maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Create the necessary documentation that identifies the members of the Backup Operators group.If no accounts are members of the Backup Operators group, this is NA. - -Any accounts that are members of the Backup Operators group, including application accounts, must be documented with the ISSO. If documentation of accounts that are members of the Backup Operators group is not maintained this is a finding.Format and Eject Removable Media<GroupDescription></GroupDescription>WN12-SO-000011Ejection of removable NTFS media must be restricted to Administrators.<VulnDiscussion>Removable hard drives, if they are not properly configured, can be formatted and ejected by users who are not members of the Administrators Group. Formatting and ejecting removable NTFS media must only be done by administrators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25217-1CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Allowed to format and eject removable media" to "Administrators".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: AllocateDASD - -Value Type: REG_SZ -Value: 0Password Expiration Warning<GroupDescription></GroupDescription>WN12-SO-000025Users must be warned in advance of their passwords expiring.<VulnDiscussion>Creating strong passwords that can be remembered by users requires some thought. By giving the user advance warning, the user has time to construct a sufficiently strong password. This setting configures the system to display a warning to users telling them how many days are left before their password expires.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23704-0CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Prompt user to change password before expiration" to "14" days or more.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: PasswordExpiryWarning - -Value Type: REG_DWORD -Value: 14 (or greater)Global System Objects Permission Strength<GroupDescription></GroupDescription>WN12-SO-000076The default permissions of global system objects must be increased.<VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing nonadministrative users to read shared objects, but not modify shared objects that they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24633-0CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Session Manager\ - -Value Name: ProtectionMode - -Value Type: REG_DWORD -Value: 1Idle Time Before Suspending a Session.<GroupDescription></GroupDescription>WN12-SO-000031The amount of idle time required before suspending a session must be properly set.<VulnDiscussion>Open sessions can increase the avenues of attack on a system. This setting is used to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. This protects critical and sensitive network data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23897-2CCI-001133CCI-002361Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Server: Amount of idle time required before suspending session" to "15" minutes or less.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: autodisconnect - -Value Type: REG_DWORD -Value: 0x0000000f (15) (or less)Reversible Password Encryption<GroupDescription></GroupDescription>WN12-AC-000009Reversible password encryption must be disabled.<VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23951-7CCI-000196Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Store password using reversible encryption" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. - -If the value for "Store password using reversible encryption" is not set to "Disabled", this is a finding.Disable Media Autoplay<GroupDescription></GroupDescription>WN12-CC-000074Autoplay must be disabled for all drives.<VulnDiscussion>Allowing Autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, Autoplay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables Autoplay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23878-2CCI-001764Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Turn off AutoPlay" to "Enabled:All Drives".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ - -Value Name: NoDriveTypeAutoRun - -Type: REG_DWORD -Value: 0x000000ff (255)System File Changes<GroupDescription></GroupDescription>WN12-GE-000017System files must be monitored for unauthorized changes.<VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>DCSL-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Monitor system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. This can be done with the use of various monitoring tools.Determine whether the site monitors system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) on servers for unauthorized changes against a baseline on a weekly basis. If system files are not monitored for unauthorized changes, this is a finding. - -A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.File share ACLs<GroupDescription></GroupDescription>WN12-GE-000018Non system-created file shares on a system must limit access to groups that require it.<VulnDiscussion>Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to those accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001090If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. - -Remove any unnecessary non-system-created shares.If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. -(System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) - -Run "Computer Management". -Navigate to System Tools >> Shared Folders >> Shares. - -Right click any non-system-created shares. -Select "Properties". -Select the "Share Permissions" tab. - -If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. - -Select the "Security" tab. - -If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.Intrusion Detection System<GroupDescription></GroupDescription>WN12-GE-000022Servers must have a host-based Intrusion Detection System.<VulnDiscussion>A properly configured host-based Intrusion Detection System provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>This finding can be downgraded to a CAT III, if there is an active JIDS or firewall protecting the network. </SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Install a host-based Intrusion Detection System on each server.Determine whether there is a host-based Intrusion Detection System on each server. - -If the HIPS component of HBSS is installed and active on the host and the Alerts of blocked activity are being logged and monitored, this will meet the requirement of this finding. - -A HID device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the site ISSO. - -If a host-based Intrusion Detection System is not installed on the system, this is a finding.Anonymous SID/Name Translation<GroupDescription></GroupDescription>WN12-SO-000050Anonymous SID/Name translation must not be allowed.<VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24597-7CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Allow anonymous SID/Name translation" to "Disabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - -If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding.Anonymous Access to Named Pipes<GroupDescription></GroupDescription>WN12-SO-000055-MSNamed pipes that can be accessed anonymously must be configured to contain no values on member servers.<VulnDiscussion>Named pipes that can be accessed anonymously provide the potential for gaining unauthorized system access. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25466-4CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Named pipes that can be accessed anonymously" to be defined but containing no entries (blank).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: NullSessionPipes - -Value Type: REG_MULTI_SZ -Value: (blank) - -Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.Remotely Accessible Registry Paths<GroupDescription></GroupDescription>WN12-SO-000056Unauthorized remotely accessible registry paths must not be configured.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths are accessible from a remote computer. These registry paths must be limited, as they could give unauthorized individuals access to the registry.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23899-8CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Remotely accessible registry paths" with the following entries: - -System\CurrentControlSet\Control\ProductOptions -System\CurrentControlSet\Control\Server Applications -Software\Microsoft\Windows NT\CurrentVersionIf the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\ - -Value Name: Machine - -Value Type: REG_MULTI_SZ -Value: see below - -System\CurrentControlSet\Control\ProductOptions -System\CurrentControlSet\Control\Server Applications -Software\Microsoft\Windows NT\CurrentVersion - -Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.Anonymous Access to Network Shares<GroupDescription></GroupDescription>WN12-SO-000059Network shares that can be accessed anonymously must not be allowed.<VulnDiscussion>Anonymous access to network shares provides the potential for gaining unauthorized system access by network users. This could lead to the exposure or corruption of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25592-7CCI-001090Ensure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Shares that can be accessed anonymously" contains no entries (blank).If the following registry value does not exist, this is not a finding: - -If the following registry value does exist and is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: NullSessionShares - -Value Type: REG_MULTI_SZ -Value: (Blank)Remote Assistance - Solicit Remote Assistance<GroupDescription></GroupDescription>WN12-CC-000059Solicited Remote Assistance must not be allowed.<VulnDiscussion>Remote assistance allows another user to view or take control of the local session of a user. Solicited assistance is help that is specifically requested by the local user. This may allow unauthorized parties access to the resources on the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25590-1CCI-001090Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Solicited Remote Assistance" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fAllowToGetHelp - -Type: REG_DWORD -Value: 0Limit Blank Passwords<GroupDescription></GroupDescription>WN12-SO-000004Local accounts with blank passwords must be restricted to prevent access from the network.<VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password did exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25589-3CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: LimitBlankPasswordUse - -Value Type: REG_DWORD -Value: 1Maximum Machine Account Password Age<GroupDescription></GroupDescription>WN12-SO-000016The maximum age for machine account passwords must be set to requirements.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This setting must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23596-0CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Maximum machine account password age" to "30" or less (excluding "0" which is unacceptable).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: MaximumPasswordAge - -Value Type: REG_DWORD -Value: 30 (or less, but not 0)Strong Session Key<GroupDescription></GroupDescription>WN12-SO-000017The system must be configured to require a strong session key.<VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. Requiring strong session keys enforces 128-bit encryption between systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25198-3CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: RequireStrongKey - -Value Type: REG_DWORD -Value: 1 - -This setting may prevent a system from being joined to a domain if not configured consistently between systems.Everyone Anonymous rights<GroupDescription></GroupDescription>WN12-SO-000054The system must be configured to prevent anonymous users from having the same rights as the Everyone group.<VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23807-1CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Let everyone permissions apply to anonymous users" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: EveryoneIncludesAnonymous - -Value Type: REG_DWORD -Value: 0Sharing and Security Model for Local Accounts<GroupDescription></GroupDescription>WN12-SO-000060The system must be configured to use the Classic security model.<VulnDiscussion>Windows includes two network-sharing security models - Classic and Guest only. With the Classic model, local accounts must be password protected; otherwise, anyone can use guest user accounts to access shared system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-22742-1CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: ForceGuest - -Value Type: REG_DWORD -Value: 0LAN Manager Hash stored<GroupDescription></GroupDescription>WN12-SO-000065The system must be configured to prevent the storage of the LAN Manager hash of passwords.<VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24150-5CCI-000196Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: NoLMHash - -Value Type: REG_DWORD -Value: 1Force Logoff When Logon Hours Expire<GroupDescription></GroupDescription>WN12-SO-000066The system must be configured to force users to log off when their allowed logon hours expire.<VulnDiscussion>Limiting logon hours can help protect data by only allowing access during specified times. This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, this must be enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25367-4CCI-001133Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Force logoff when logon hours expire" to "Enabled".Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - -If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.LDAP Client Signing<GroupDescription></GroupDescription>WN12-SO-000068The system must be configured to the required LDAP client signing level.<VulnDiscussion>This setting controls the signing requirements for LDAP clients. This setting must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25245-2CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LDAP\ - -Value Name: LDAPClientIntegrity - -Value Type: REG_DWORD -Value: 1Session Security for NTLM SSP Based Clients<GroupDescription></GroupDescription>WN12-SO-000069The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24783-3CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ - -Value Name: NTLMMinClientSec - -Value Type: REG_DWORD -Value: 0x20080000 (537395200)FIPS Compliant Algorithms <GroupDescription></GroupDescription>WN12-SO-000074The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.<VulnDiscussion>This setting ensures that the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23921-0CCI-002450Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ - -Value Name: Enabled - -Value Type: REG_DWORD -Value: 1 - -Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.Case Insensitivity for Non-Windows<GroupDescription></GroupDescription>WN12-SO-000075The system must be configured to require case insensitivity for non-Windows subsystems.<VulnDiscussion>This setting controls the behavior of non-Windows subsystems when dealing with the case of arguments or commands. Case sensitivity could lead to the access of files or commands that must be restricted. To prevent this from happening, case insensitivity restrictions must be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24870-8CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System objects: Require case insensitivity for non-Windows subsystems" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Session Manager\Kernel\ - -Value Name: ObCaseInsensitive - -Value Type: REG_DWORD -Value: 1TS/RDS - Session Limit<GroupDescription></GroupDescription>WN12-CC-000131Remote Desktop Services must limit users to one remote session.<VulnDiscussion>Allowing multiple Remote Desktop Services sessions could consume resources. There is also potential to make a secondary connection to a system with compromised credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECLO-1, ECLO-2</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23328-8CCI-000054Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> "Restrict Remote Desktop Services users to a single Remote Desktop Services Session" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fSingleSessionPerUser - -Type: REG_DWORD -Value: 1TS/RDS - Password Prompting<GroupDescription></GroupDescription>WN12-CC-000099Remote Desktop Services must always prompt a client for passwords upon connection.<VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25016-7CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Always prompt for password upon connection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fPromptForPassword - -Type: REG_DWORD -Value: 1TS/RDS - Set Encryption Level<GroupDescription></GroupDescription>WN12-CC-000100Remote Desktop Services must be configured with the client connection encryption set to the required level.<VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24932-6CCI-000068CCI-002890Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Set client connection encryption level" to "Enabled" and "High Level".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: MinEncryptionLevel - -Type: REG_DWORD -Value: 3TS/RDS - Do Not Use Temp Folders<GroupDescription></GroupDescription>WN12-CC-000104Remote Desktop Services must be configured to use session-specific temporary folders.<VulnDiscussion>If a communal temporary folder is used for remote desktop sessions, it might be possible for users to access other users' temporary folders. If this setting is enabled, only one temporary folder is used for all remote desktop sessions. Per session temporary folders must be established.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24042-4CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not use temporary folders per session" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: PerSessionTempDir - -Type: REG_DWORD -Value: 1TS/RDS - Delete Temp Folders<GroupDescription></GroupDescription>WN12-CC-000103Remote Desktop Services must delete temporary folders when a session is terminated.<VulnDiscussion>Remote desktop session temporary folders must always be deleted after a session is over to prevent hard disk clutter and potential leakage of information. This setting controls the deletion of the temporary folders when the session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24304-8CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not delete temp folder upon exit" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: DeleteTempDirsOnExit - -Type: REG_DWORD -Value: 1Group Policy - Do Not Turn off Background Refresh<GroupDescription></GroupDescription>WN12-CC-000029Group Policies must be refreshed in the background if the user is logged on.<VulnDiscussion>If this setting is enabled, then Group Policy settings are not refreshed while a user is currently logged on. This could lead to instances when a user does not have the latest changes to a policy applied and is therefore operating in an insecure context.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23622-4CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Turn off background refresh of Group Policy" to "Disabled".Review the registry. -If the following registry value does not exist, this is not a finding (this is the expected result from configuring the policy as outlined in the Fix section.): -If the following registry value exists but is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ - -Value Name: DisableBkGndGroupPolicy - -Type: REG_DWORD -Value: 0Remote Assistance - Offer Remote Assistance<GroupDescription></GroupDescription>WN12-CC-000058The system must be configured to prevent unsolicited remote assistance offers.<VulnDiscussion>Remote assistance allows another user to view or take control of the local session of a user. Unsolicited remote assistance is help that is offered by the remote user. This may allow unauthorized parties access to the resources on the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23282-7CCI-001090Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Configure Offer Remote Assistance" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fAllowUnsolicited - -Type: REG_DWORD -Value: 0Windows Time Service - Configure NTP Client<GroupDescription></GroupDescription>WN12-CC-000069The time service must synchronize with an appropriate DoD time source.<VulnDiscussion>The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23563-0CCI-001891If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server. - -The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.Open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator). - -Enter "W32tm /query /configuration". - -Domain-joined systems are automatically configured with a "Type" of "NT5DS" to synchronize with domain controllers and would not be a finding. - -If systems are configured with a "Type" of "NTP", including standalone systems and the forest root domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. (See V-8557 in the Active Directory Forest STIG for the time source requirement of the forest root domain PDC emulator.) - -If an alternate time synchronization tool is used and is not enabled or not configured to synchronize with a DoD time source, this is a finding. - -The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.Safe DLL Search Mode<GroupDescription></GroupDescription>WN12-SO-000045The system must be configured to use Safe DLL Search Mode.<VulnDiscussion>The default search behavior, when an application calls a function in a Dynamic Link Library (DLL), is to search the current directory, followed by the directories contained in the system's path environment variable. An unauthorized DLL, inserted into an application's working directory, could allow malicious code to be run on the system. Setting this policy value forces the system to search the %Systemroot% for the DLL before searching the current directory or the rest of the path.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23462-5CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" to "Enabled". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Session Manager\ - -Value Name: SafeDllSearchMode - -Value Type: REG_DWORD -Value: 1Media Player - Disable Automatic Updates<GroupDescription></GroupDescription>WN12-CC-000122Windows Media Player must be configured to prevent automatic checking for updates.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. The automatic check for updates performed by Windows Media Player must be disabled to ensure a constant platform and to prevent the introduction of unknown\untested software on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24250-3CCI-001812If Windows Media Player is installed, configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Prevent Automatic Updates" to "Enabled".Windows Media Player is not installed by default. If it is not installed, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ - -Value Name: DisableAutoupdate - -Type: REG_DWORD -Value: 1Media Player - Prevent Codec Download<GroupDescription></GroupDescription>WN12-UC-000013Media Player must be configured to prevent automatic Codec downloads.<VulnDiscussion>The Windows Media Player uses software components, referred to as Codecs, to play back media files. By default, when an unknown file type is opened with the Media Player, it will search the Internet for the appropriate Codec and automatically download it. To ensure platform consistency and to protect against new vulnerabilities associated with media types, all Codecs must be installed by the System Administrator.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23890-7CCI-001812Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> Playback -> "Prevent Codec Download" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ - -Value Name: PreventCodecDownload - -Type: REG_DWORD -Value: 1Unnecessary Services<GroupDescription></GroupDescription>WN12-GE-000021Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some services may be run under the local System account, which generally has more permissions than required by the service. Compromising a service could allow an intruder to obtain system permissions and open the system to a variety of attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381Document the services required for the system to operate. Remove or disable any services that are not required.Required services will vary between organizations, and on the role of the individual system. Organizations will develop their own list of services which will be documented and justified with the ISSO. The site's list will be provided for any security review. Services common to multiple systems can be addressed in one document. Exceptions for individual systems should be identified separately by system. - -Individual services specifically required to be disabled per the STIG are identified in separate requirements. - -If the site has not documented the services required for their system(s), this is a finding. - -The following can be used to view the services on a system: -Run "Services.msc". - -Services for Windows Server 2012 roles are managed automatically, adding those necessary for a particular role. The following lists the default services for a baseline installation as a reference. This can be used as a basis for documenting the services necessary. - -Default Installation -Name - Startup Type -Application Experience - Manual (Trigger Start) -Application Identity - Manual (Trigger Start) -Application Information - Manual -Application Layer Gateway Service - Manual -Application Management - Manual -Background Intelligent Transfer Service - Automatic (Delayed Start) -Background Tasks Infrastructure Service - Automatic -Base Filtering Engine - Automatic -Certificate Propagation - Manual -CNG Key Isolation - Manual (Trigger Start) -COM+ Event System - Automatic -COM+ System Application - Manual -Computer Browser - Disabled -Credential Manager - Manual -Cryptographic Services - Automatic -DCOM Server Process Launcher - Automatic -Device Association Service - Manual (Trigger Start) -Device Install Service - Manual (Trigger Start) -Device Setup Manager - Manual (Trigger Start) -DHCP Client - Automatic -Diagnostic Policy Service - Automatic (Delayed Start) -Diagnostic Service Host - Manual -Diagnostic System Host - Manual -Distributed Link Tracking Client - Automatic -Distributed Transaction Coordinator - Automatic (Delayed Start) -DNS Client - Automatic (Trigger Start) -Encrypting File System (EFS) - Manual (Trigger Start) -Extensible Authentication Protocol - Manual -Function Discovery Provider Host - Manual -Function Discovery Resource Publication - Manual -Group Policy Client - Automatic (Trigger Start) -Health Key and Certificate Management - Manual -Human Interface Device Access - Manual (Trigger Start) -Hyper-V Data Exchange Service - Manual (Trigger Start) -Hyper-V Guest Shutdown Service - Manual (Trigger Start) -Hyper-V Heartbeat Service - Manual (Trigger Start) -Hyper-V Remote Desktop Virtualization Service - Manual (Trigger Start) -Hyper-V Time Synchronization Service - Manual (Trigger Start) -Hyper-V Volume Shadow Copy Requestor - Manual (Trigger Start) -IKE and AuthIP IPsec Keying Modules - Manual (Trigger Start) -Interactive Services Detection - Manual -Internet Connection Sharing (ICS) - Disabled -IP Helper - Automatic -IPsec Policy Agent - Manual (Trigger Start) -KDC Proxy Server service (KPS) - Manual -KtmRm for Distributed Transaction Coordinator - Manual (Trigger Start) -Link-Layer Topology Discovery Mapper - Manual -Local Session Manager - Automatic -Microsoft iSCSI Initiator Service - Manual -Microsoft Software Shadow Copy Provider - Manual -Multimedia Class Scheduler - Manual -Net.Tcp Port Sharing Service - Disabled -Netlogon - Manual -Network Access Protection Agent - Manual -Network Connections - Manual -Network Connectivity Assistant - Manual (Trigger Start) -Network List Service - Manual -Network Location Awareness - Automatic -Network Store Interface Service - Automatic -Optimize drives - Manual -Performance Counter DLL Host - Manual -Performance Logs & Alerts - Manual -Plug and Play - Manual -Portable Device Enumerator Service - Manual (Trigger Start) -Power - Automatic -Print Spooler - Automatic -Printer Extensions and Notifications - Manual -Problem Reports and Solutions Control Panel Support - Manual -Remote Access Auto Connection Manager - Manual -Remote Access Connection Manager - Manual -Remote Desktop Configuration - Manual -Remote Desktop Services - Manual -Remote Desktop Services UserMode Port Redirector - Manual -Remote Procedure Call (RPC) - Automatic -Remote Procedure Call (RPC) Locator - Manual -Remote Registry - Automatic (Trigger Start) -Resultant Set of Policy Provider - Manual -Routing and Remote Access - Disabled -RPC Endpoint Mapper - Automatic -Secondary Logon - Manual -Secure Socket Tunneling Protocol Service - Manual -Security Accounts Manager - Automatic -Server - Automatic -Shell Hardware Detection - Automatic -Smart Card - Disabled -Smart Card Removal Policy - Manual -SNMP Trap - Manual -Software Protection - Automatic (Delayed Start, Trigger Start) -Special Administration Console Helper - Manual -Spot Verifier - Manual (Trigger Start) -SSDP Discovery - Disabled -Superfetch - Manual -System Event Notification Service - Automatic -Task Scheduler - Automatic -TCP/IP NetBIOS Helper - Automatic (Trigger Start) -Telephony - Manual -Themes - Automatic -Thread Ordering Server - Manual -UPnP Device Host - Disabled -User Access Logging Service - Automatic (Delayed Start) -User Profile Service - Automatic -Virtual Disk - Manual -Volume Shadow Copy - Manual -Windows All-User Install Agent - Manual (Trigger Start) -Windows Audio - Manual -Windows Audio Endpoint Builder - Manual -Windows Color System - Manual -Windows Driver Foundation - User-mode Driver Framework - Manual (Trigger Start) -Windows Error Reporting Service - Manual (Trigger Start) -Windows Event Collector - Manual -Windows Event Log - Automatic -Windows Firewall - Automatic -Windows Font Cache Service - Automatic -Windows Installer - Manual -Windows Licensing Monitoring Service - Automatic -Windows Management Instrumentation - Automatic -Windows Modules Installer - Manual -Windows Remote Management (WS-Management) - Automatic -Windows Store Service (WSService) - Manual (Trigger Start) -Windows Time - Manual (Trigger Start) -Windows Update - Manual -WinHTTP Web Proxy Auto-Discovery Service - Manual -Wired AutoConfig - Manual -WMI Performance Adapter - Manual -Workstation - AutomaticSession Security for NTLM SSP based Servers<GroupDescription></GroupDescription>WN12-SO-000070The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with RPC sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25264-3CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ - -Value Name: NTLMMinServerSec - -Value Type: REG_DWORD -Value: 0x20080000 (537395200)Audit Log Warning Level<GroupDescription></GroupDescription>WN12-SO-000049The system must generate an audit event when the audit log reaches a percentage of full threshold.<VulnDiscussion>When the audit log reaches a given percent full, an audit event is written to the security log. It is recorded as a successful audit event under the category of System. This option may be especially useful if the audit logs are set to be cleared manually.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25110-8CCI-000139CCI-001855CCI-001858Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" to "90" or less. - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the system is configured to write to an audit server, or is configured to automatically archive full logs, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Eventlog\Security\ - -Value Name: WarningLevel - -Value Type: REG_DWORD -Value: 90 (or less)Disable IP Source Routing<GroupDescription></GroupDescription>WN12-SO-000038The system must be configured to prevent IP source routing.<VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24968-0CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: DisableIPSourceRouting - -Value Type: REG_DWORD -Value: 2Disable ICMP Redirect<GroupDescription></GroupDescription>WN12-SO-000039The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.<VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24977-1CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: EnableICMPRedirect - -Value Type: REG_DWORD -Value: 0Disable Router Discovery<GroupDescription></GroupDescription>WN12-SO-000044The system must be configured to disable the Internet Router Discovery Protocol (IRDP).<VulnDiscussion>The Internet Router Discovery Protocol (IRDP) is used to detect and configure default gateway addresses on the computer. If a router is impersonated on a network, traffic could be routed through the compromised system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23677-8CCI-002385Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" to "Disabled". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: PerformRouterDiscovery - -Value Type: REG_DWORD -Value: 0TCP Connection Keep-Alive Time<GroupDescription></GroupDescription>WN12-SO-000041The system must be configured to limit how often keep-alive packets are sent.<VulnDiscussion>This setting controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact. A higher value could allow an attacker to cause a denial of service with numerous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24310-5CCI-002385Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" to "300000 or 5 minutes (recommended)" or less. - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: KeepAliveTime - -Value Type: REG_DWORD -Value: 300000 (or less)Name-Release Attacks<GroupDescription></GroupDescription>WN12-SO-000043The system must be configured to ignore NetBIOS name release requests except from WINS servers.<VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the servers WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23715-6CCI-002385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ - -Value Name: NoNameReleaseOnDemand - -Value Type: REG_DWORD -Value: 1TCP Data Retransmissions<GroupDescription></GroupDescription>WN12-SO-000048The system must limit how many times unacknowledged TCP data is retransmitted.<VulnDiscussion>In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a server, and the server leaves the half-open connections open until it is overwhelmed and is no longer able to respond to legitimate requests.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25455-7CCI-002385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to "3" or less. - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: TcpMaxDataRetransmissions - -Value Type: REG_DWORD -Value: 3 (or less)Screen Saver Grace Period<GroupDescription></GroupDescription>WN12-SO-000046The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.<VulnDiscussion>Allowing more than several seconds makes the computer vulnerable to a potential attack from someone walking up to the console to attempt to log on to the system before the lock takes effect.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24993-8CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to "5" or less. - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: ScreenSaverGracePeriod - -Value Type: REG_SZ -Value: 5 (or less)Remotely Accessible Registry Paths and Sub-Paths<GroupDescription></GroupDescription>WN12-SO-000057Unauthorized remotely accessible registry paths and sub-paths must not be configured.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Some processes may require remote access to the registry. This setting controls which registry paths and sub-paths are accessible from a remote computer. These registry paths must be limited, as they could give unauthorized individuals access to the registry.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25426-8CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Remotely accessible registry paths and sub-paths" with the following entries: - -Software\Microsoft\OLAP Server -Software\Microsoft\Windows NT\CurrentVersion\Perflib -Software\Microsoft\Windows NT\CurrentVersion\Print -Software\Microsoft\Windows NT\CurrentVersion\Windows -System\CurrentControlSet\Control\ContentIndex -System\CurrentControlSet\Control\Print\Printers -System\CurrentControlSet\Control\Terminal Server -System\CurrentControlSet\Control\Terminal Server\UserConfig -System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration -System\CurrentControlSet\Services\Eventlog -System\CurrentControlSet\Services\SysmonlogIf the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\ - -Value Name: Machine - -Value Type: REG_MULTI_SZ -Value: see below - -Software\Microsoft\OLAP Server -Software\Microsoft\Windows NT\CurrentVersion\Perflib -Software\Microsoft\Windows NT\CurrentVersion\Print -Software\Microsoft\Windows NT\CurrentVersion\Windows -System\CurrentControlSet\Control\ContentIndex -System\CurrentControlSet\Control\Print\Printers -System\CurrentControlSet\Control\Terminal Server -System\CurrentControlSet\Control\Terminal Server\UserConfig -System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration -System\CurrentControlSet\Services\Eventlog -System\CurrentControlSet\Services\Sysmonlog - -Legitimate applications may add entries to this registry value. If an application requires these entries to function properly and is documented with the ISSO, this would not be a finding. Documentation must contain supporting information from the vendor's instructions.Optional Subsystems<GroupDescription></GroupDescription>WN12-SO-000088Optional Subsystems must not be permitted to operate on the system.<VulnDiscussion>The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX Subsystem is required if the server supports applications that use that subsystem. The subsystem introduces a security risk relating to processes that can potentially persist across logins. That is, if a user starts a process and then logs out, there is a potential that the next user who logs in to the system could access the previous users process. This is dangerous because the process started by the first user may retain that users system privileges, and anything the second user does with that process will be performed with the privileges of the first user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools>HK</ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24878-1CCI-000381Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System settings: Optional subsystems" to "Blank" (Configured with no entries).If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Session Manager\Subsystems\ - -Value Name: Optional - -Value Type: REG_MULTI_SZ -Value: (Blank)TS/RDS - Secure RPC Connection.<GroupDescription></GroupDescription>WN12-CC-000130The Remote Desktop Session Host must require secure RPC communications.<VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24788-2CCI-001453Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Require secure RPC communication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fEncryptRPCTraffic - -Type: REG_DWORD -Value: 1Group Policy - Registry Policy Processing<GroupDescription></GroupDescription>WN12-CC-000028Group Policy objects must be reprocessed even if they have not changed.<VulnDiscussion>Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24992-0CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Configure registry policy processing" to "Enabled" and select the option "Process even if the Group Policy objects have not changed".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ - -Value Name: NoGPOListChanges - -Type: REG_DWORD -Value: 0Encrypting and Signing of Secure Channel Traffic<GroupDescription></GroupDescription>WN12-SO-000012Outgoing secure channel traffic must be encrypted or signed.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24465-7CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ - -Value Name: RequireSignOrSeal - -Value Type: REG_DWORD -Value: 1SMB Client Packet Signing (Always)<GroupDescription></GroupDescription>WN12-SO-000028The Windows SMB client must be configured to always perform SMB packet signing.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24969-8CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network client: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ - -Value Name: RequireSecuritySignature - -Value Type: REG_DWORD -Value: 1SMB Server Packet Signing (Always)<GroupDescription></GroupDescription>WN12-SO-000032The Windows SMB server must be configured to always perform SMB packet signing.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23716-4CCI-002418CCI-002421Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: RequireSecuritySignature - -Value Type: REG_DWORD -Value: 1Anonymous Access to Named Pipes and Shares<GroupDescription></GroupDescription>WN12-SO-000058Anonymous access to Named Pipes and Shares must be restricted.<VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24564-7CCI-001090Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ - -Value Name: RestrictNullSessAccess - -Value Type: REG_DWORD -Value: 1Minimum Password Length<GroupDescription></GroupDescription>WN12-AC-000007Passwords must, at a minimum, be 14 characters.<VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25317-9CCI-000205Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password length" to "14" characters.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy. - -If the value for the "Minimum password length," is less than "14" characters, this is a finding.Password Expiration<GroupDescription></GroupDescription>WN12-GE-000016Windows 2012/2012 R2 passwords must be configured to expire.<VulnDiscussion>Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000199Configure all enabled user account passwords to expire. - -Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.Review the password never expires status for enabled user accounts. - -Open "Windows PowerShell" with elevated privileges (run as administrator). - -Domain Controllers: - -Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | Where PasswordNeverExpires -eq True | FT Name, PasswordNeverExpires, Enabled". - -Exclude application accounts and disabled accounts (e.g., Guest). -Domain accounts requiring smart card (CAC/PIV) may also be excluded. - -If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. - -Member servers and standalone systems: - -Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. - -Exclude application accounts and disabled accounts (e.g., Guest). - -If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.Password Requirement<GroupDescription></GroupDescription>WN12-GE-000015Windows 2012/2012 R2 accounts must be configured to require passwords.<VulnDiscussion>The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000764Configure all enabled accounts to require passwords. - -The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.Review the password required status for enabled user accounts. - -Open "Windows PowerShell". - -Domain Controllers: - -Enter "Get-ADUser -Filter * -Properties PasswordNotRequired | Where PasswordNotRequired -eq True | FT Name, PasswordNotRequired, Enabled". - -Exclude disabled accounts (e.g., Guest) and Trusted Domain Objects (TDOs). - -If "PasswordNotRequired" is "True" for any enabled user account, this is a finding. - -Member servers and standalone systems: - -Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. - -Exclude disabled accounts (e.g., Guest). - -If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.Display of Last User Name<GroupDescription></GroupDescription>WN12-SO-000018The system must be configured to prevent the display of the last username on the logon screen.<VulnDiscussion>Displaying the username of the last logged on user provides half of the userid/password equation that an unauthorized person would need to gain access. The username of the last user to log on to a system must not be displayed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24748-6CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Do not display last user name" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: DontDisplayLastUserName - -Value Type: REG_DWORD -Value: 1Administrator Account Password Changes<GroupDescription></GroupDescription>WN12-00-000007Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The password for the built-in Administrator account must be changed at least annually or when any member of the administrative team leaves the organization. - -Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Change the built-in Administrator account password at least annually or whenever an administrator leaves the organization. More frequent changes are recommended. - -Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.Review the password last set date for the built-in Administrator account. - -Domain controllers: - -Open "Windows PowerShell". - -Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | FL Name, SID, PasswordLastSet". - -If the "PasswordLastSet" date is greater than one year old, this is a finding. - -Member servers and standalone systems: - -Open "Windows PowerShell" or "Command Prompt". - -Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. - -(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) - -If the "PasswordLastSet" date is greater than one year old, this is a finding.Audit Access of Global System Objects<GroupDescription></GroupDescription>WN12-SO-000007Auditing the Access of Global System Objects must be turned off.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -This setting prevents the system from setting up a default system access control list for certain system objects, which could create a very large number of security events, filling the security log in Windows and making it difficult to identify actual issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24075-4CCI-001095Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the access of global system objects" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: AuditBaseObjects - -Value Type: REG_DWORD -Value: 0Audit Backup and Restore Privileges<GroupDescription></GroupDescription>WN12-SO-000008Auditing of Backup and Restore Privileges must be turned off.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -This setting prevents the system from generating audit events for every file backed up or restored, which could fill the security log in Windows, making it difficult to identify actual issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24923-5CCI-001095Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the use of Backup and Restore privilege" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: FullPrivilegeAuditing - -Value Type: REG_BINARY -Value: 0Audit Policy Subcategory Setting<GroupDescription></GroupDescription>WN12-SO-000009Audit policy using subcategories must be enabled.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24252-9CCI-000169Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: SCENoApplyLegacyAuditPolicy - -Value Type: REG_DWORD -Value: 1IPSec Exemptions<GroupDescription></GroupDescription>WN12-SO-000042IPSec Exemptions must be limited.<VulnDiscussion>IPSec exemption filters allow specific traffic that may be needed by the system for such things as Kerberos authentication. This setting configures Windows for specific IPSec exemptions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24253-7CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic" to "Only ISAKMP is exempt (recommended for Windows Server 2003)". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\IPSEC\ - -Value Name: NoDefaultExempt - -Value Type: REG_DWORD -Value: 3UAC - Admin Approval Mode<GroupDescription></GroupDescription>WN12-SO-000077User Account Control approval mode for the built-in Administrator must be enabled.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24134-9CCI-002038UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: FilterAdministratorToken - -Value Type: REG_DWORD -Value: 1UAC - Admin Elevation Prompt<GroupDescription></GroupDescription>WN12-SO-000078User Account Control must, at minimum, prompt administrators for consent.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23877-4CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent". - -More secure options for this setting would also be acceptable (e.g., Prompt for credentials, Prompt for consent (or credentials) on the secure desktop).UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: ConsentPromptBehaviorAdmin - -Value Type: REG_DWORD -Value: 4 (Prompt for consent) -3 (Prompt for credentials) -2 (Prompt for consent on the secure desktop) -1 (Prompt for credentials on the secure desktop)UAC - User Elevation Prompt<GroupDescription></GroupDescription>WN12-SO-000079User Account Control must automatically deny standard user requests for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24519-1CCI-002038UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: ConsentPromptBehaviorUser - -Value Type: REG_DWORD -Value: 0UAC - Application Installations<GroupDescription></GroupDescription>WN12-SO-000080User Account Control must be configured to detect application installations and prompt for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24498-8CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableInstallerDetection - -Value Type: REG_DWORD -Value: 1UAC - UIAccess Application Elevation<GroupDescription></GroupDescription>WN12-SO-000082User Account Control must only elevate UIAccess applications that are installed in secure locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25471-4CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableSecureUIAPaths - -Value Type: REG_DWORD -Value: 1UAC - All Admin Approval Mode<GroupDescription></GroupDescription>WN12-SO-000083User Account Control must run all administrators in Admin Approval Mode, enabling UAC.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23653-9CCI-002038UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableLUA - -Value Type: REG_DWORD -Value: 1UAC - Secure Desktop Mode<GroupDescription></GroupDescription>WN12-SO-000084User Account Control must switch to the secure desktop when prompting for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting ensures that the elevation prompt is only used in secure desktop mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23656-2CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Switch to the secure desktop when prompting for elevation" to "Enabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: PromptOnSecureDesktop - -Value Type: REG_DWORD -Value: 1UAC - Non UAC Compliant Application Virtualization<GroupDescription></GroupDescription>WN12-SO-000085User Account Control must virtualize file and registry write failures to per-user locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24231-3CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableVirtualization - -Value Type: REG_DWORD -Value: 1Enumerate Administrator Accounts on Elevation<GroupDescription></GroupDescription>WN12-CC-000077Administrator accounts must not be enumerated during elevation.<VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to enter in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24805-4CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ - -Value Name: EnumerateAdministrators - -Type: REG_DWORD -Value: 0x00000000 (0)TS/RDS - Prevent Password Saving<GroupDescription></GroupDescription>WN12-CC-000096Passwords must not be saved in the Remote Desktop Client.<VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23787-5CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> "Do not allow passwords to be saved" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: DisablePasswordSaving - -Type: REG_DWORD -Value: 1TS/RDS - Drive Redirection<GroupDescription></GroupDescription>WN12-CC-000098Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).<VulnDiscussion>Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24648-8CCI-001090Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow drive redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fDisableCdm - -Type: REG_DWORD -Value: 1RPC - Unauthenticated RPC Clients<GroupDescription></GroupDescription>WN12-CC-000064-MSUnauthenticated RPC clients must be restricted from connecting to the RPC server.<VulnDiscussion>Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24152-1CCI-001967Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call -> "Restrict Unauthenticated RPC clients" to "Enabled" and "Authenticated".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ - -Value Name: RestrictRemoteClients - -Type: REG_DWORD -Value: 1Printing Over HTTP<GroupDescription></GroupDescription>WN12-CC-000039Printing over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24832-8CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off printing over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ - -Value Name: DisableHTTPPrinting - -Type: REG_DWORD -Value: 1HTTP Printer Drivers<GroupDescription></GroupDescription>WN12-CC-000032Downloading print driver packages over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24854-2CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off downloading of print drivers over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ - -Value Name: DisableWebPnPDownload - -Type: REG_DWORD -Value: 1Windows Update Device Drive Searching<GroupDescription></GroupDescription>WN12-CC-000047Windows must be prevented from using Windows Update to search for drivers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents Windows from searching Windows Update for device drivers when no local drivers for a device are present.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24071-3CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Windows Update device driver searching" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ - -Value Name: DontSearchWindowsUpdate - -Type: REG_DWORD -Value: 1Attachment Mgr - Preserve Zone Info<GroupDescription></GroupDescription>WN12-UC-000009Zone information must be preserved when saving attachments.<VulnDiscussion>Preserving zone of origin (internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24747-8CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Do not preserve zone information in file attachments" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ - -Value Name: SaveZoneInformation - -Type: REG_DWORD -Value: 2Attachment Mgr - Hide Mech to Remove Zone Info<GroupDescription></GroupDescription>WN12-UC-000010Mechanisms for removing zone information from file attachments must be hidden.<VulnDiscussion>Preserving zone of origin (internet, intranet, local, restricted) information on file attachments allows Windows to determine risk. This setting prevents users from manually removing zone information from saved file attachments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24611-6CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Hide mechanisms to remove zone information" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ - -Value Name: HideZoneInfoOnProperties - -Type: REG_DWORD -Value: 1Attachment Mgr - Scan with Antivirus<GroupDescription></GroupDescription>WN12-UC-000011The system must notify antivirus when file attachments are opened.<VulnDiscussion>Attaching malicious files is a known avenue of attack. This setting configures the system to notify antivirus programs when a user opens a file attachment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25538-0CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Notify antivirus programs when opening attachments" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ - -Value Name: ScanWithAntiVirus - -Type: REG_DWORD -Value: 3HBSS McAfee Agent<GroupDescription></GroupDescription>WN12-GE-000019The HBSS McAfee Agent must be installed.<VulnDiscussion>The McAfee Agent is the client side distributed component of McAfee ePolicy Orchestrator (McAfee ePO) which provides a secure communication channel between the ePO server and managed point products.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Deploy the McAfee Agent as detailed in accordance with the DoD HBSS STIG.Run "Services.msc". - -Verify the McAfee Agent service is running, depending on the version installed. - -Version - Service Name -McAfee Agent v5.x - McAfee Agent Service -McAfee Agent v4.x - McAfee Framework Service - -If the service is not listed or does not have a Status of "Started", this is a finding.Windows Peer to Peer Networking <GroupDescription></GroupDescription>WN12-CC-000003Windows Peer-to-Peer networking services must be turned off.<VulnDiscussion>Peer-to-Peer applications can allow unauthorized access to a system and exposure of sensitive data. This setting will turn off the Microsoft Peer-to-Peer Networking Service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24398-0CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Microsoft Peer-to-Peer Networking Services -> "Turn off Microsoft Peer-to-Peer Networking Services" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Peernet\ - -Value Name: Disabled - -Type: REG_DWORD -Value: 1Prohibit Network Bridge<GroupDescription></GroupDescription>WN12-CC-000004Network Bridges must be prohibited in Windows.<VulnDiscussion>A Network Bridge can connect two or more network segments, allowing unauthorized access or exposure of sensitive data. This setting prevents a Network Bridge from being installed and configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25587-7CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Prohibit installation and configuration of Network Bridge on your DNS domain network" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ - -Value Name: NC_AllowNetBridge_NLA - -Type: REG_DWORD -Value: 0Event Viewer Events.asp Links<GroupDescription></GroupDescription>WN12-CC-000033Event Viewer Events.asp links must be turned off.<VulnDiscussion>Viewing events is a function of administrators, who must not access the internet with privileged accounts. This setting will disable Events.asp hyperlinks in Event Viewer to prevent links to the internet from within events.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24235-4CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Event Viewer "Events.asp" links" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\EventViewer\ - -Value Name: MicrosoftEventVwrDisableLinks - -Type: REG_DWORD -Value: 1Internet File Association Service <GroupDescription></GroupDescription>WN12-CC-000038The Internet File Association service must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents unhandled file associations from using the Microsoft Web service to find an application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24899-7CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Internet File Association service" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: NoInternetOpenWith - -Type: REG_DWORD -Value: 1RSS Attachment Downloads<GroupDescription></GroupDescription>WN12-CC-000105Attachments must be prevented from being downloaded from RSS feeds.<VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25340-1CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Prevent downloading of enclosures" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ - -Value Name: DisableEnclosureDownload - -Type: REG_DWORD -Value: 1Windows Explorer – Shell Protocol Protected Mode <GroupDescription></GroupDescription>WN12-CC-000091File Explorer shell protocol must run in protected mode.<VulnDiscussion>The shell protocol will limit the set of folders applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23923-6CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off shell protocol protected mode" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: PreXPSP2ShellProtocolBehavior - -Type: REG_DWORD -Value: 0Windows Installer – IE Security Prompt<GroupDescription></GroupDescription>WN12-CC-000117Users must be notified if a web-based program attempts to install software.<VulnDiscussion>Users must be aware of attempted program installations. This setting ensures users are notified if a web-based program attempts to install software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23886-5CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Installer\ - -Value Name: SafeForScripting - -Type: REG_DWORD -Value: 0Windows Installer – User Control <GroupDescription></GroupDescription>WN12-CC-000115Users must be prevented from changing installation options.<VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23712-3CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Allow user control over installs" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Installer\ - -Value Name: EnableUserControl - -Type: REG_DWORD -Value: 0Windows Installer – Vendor Signed Updates<GroupDescription></GroupDescription>WN12-CC-000118Nonadministrators must be prevented from applying vendor-signed updates.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. This setting will prevent users from applying vendor-signed updates (though they may be from a trusted source).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23601-8CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prohibit non-administrators from applying vendor signed updates" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Installer\ - -Value Name: DisableLUAPatching - -Type: REG_DWORD -Value: 1Media Player – First Use Dialog Boxes <GroupDescription></GroupDescription>WN12-CC-000121Users must not be presented with Privacy and Installation options on first use of Windows Media Player.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents users from being presented with Privacy and Installation options on first use of Windows Media Player, which could enable some communication with the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25014-2CCI-000366If Windows Media Player is installed, configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Do Not Show First Use Dialog Boxes" to "Enabled".Windows Media Player is not installed by default. If it is not installed, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\WindowsMediaPlayer\ - -Value Name: GroupPrivacyAcceptance - -Type: REG_DWORD -Value: 1Network – Mapper I/O Driver <GroupDescription></GroupDescription>WN12-CC-000001The Mapper I/O network protocol (LLTDIO) driver must be disabled.<VulnDiscussion>The Mapper I/O network protocol (LLTDIO) driver allows the discovery of the connected network and allows various options to be enabled. Disabling this helps protect the system from potentially discovering and connecting to unauthorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25156-1CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Mapper I/O (LLTDIO) driver" to "Disabled".If the following registry values do not exist or are not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ - -Value Name: AllowLLTDIOOndomain -Value Name: AllowLLTDIOOnPublicNet -Value Name: EnableLLTDIO -Value Name: ProhibitLLTDIOOnPrivateNet - -Type: REG_DWORD -Value: 0Network – Responder Driver <GroupDescription></GroupDescription>WN12-CC-000002The Responder network protocol driver must be disabled.<VulnDiscussion>The Responder network protocol driver allows a computer to be discovered and located on a network. Disabling this helps protect the system from potentially being discovered and connected to by unauthorized devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23931-9CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Responder (RSPNDR) driver" to "Disabled".If the following registry values do not exist or are not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\LLTD\ - -Value Name: AllowRspndrOndomain -Value Name: AllowRspndrOnPublicNet -Value Name: EnableRspndr -Value Name: ProhibitRspndrOnPrivateNet - -Type: REG_DWORD -Value: 0Network – WCN Wireless Configuration <GroupDescription></GroupDescription>WN12-CC-000012The configuration of wireless devices using Windows Connect Now must be disabled.<VulnDiscussion>Windows Connect Now allows the discovery and configuration of devices over wireless. Wireless devices must be managed. If a rogue device is connected to a system, there is potential for sensitive information to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23804-8CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Configuration of wireless settings using Windows Connect Now" to "Disabled".If the following registry values do not exist or are not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WCN\Registrars\ - -Value Name: DisableFlashConfigRegistrar -Value Name: DisableInBand802DOT11Registrar -Value Name: DisableUPnPRegistrar -Value Name: DisableWPDRegistrar -Value Name: EnableRegistrars - -Type: REG_DWORD -Value: 0Network – Windows Connect Now Wizards <GroupDescription></GroupDescription>WN12-CC-000013The Windows Connect Now wizards must be disabled.<VulnDiscussion>Windows Connect Now provides wizards for tasks such as "Set up a wireless router or access point" and must not be available to users. Functions such as these may allow unauthorized connections to a system and the potential for sensitive information to be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24665-2CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Prohibit access of the Windows Connect Now wizards" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WCN\UI\ - -Value Name: DisableWcnUi - -Type: REG_DWORD -Value: 1Device Install – PnP Interface Remote Access <GroupDescription></GroupDescription>WN12-CC-000019Remote access to the Plug and Play interface must be disabled for device installation.<VulnDiscussion>Remote access to the Plug and Play interface could potentially allow connections by unauthorized devices. This setting configures remote access to the Plug and Play interface and must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24004-4CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Allow remote access to the Plug and Play interface" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ - -Value Name: AllowRemoteRPC - -Type: REG_DWORD -Value: 0Device Install – Drivers System Restore Point<GroupDescription></GroupDescription>WN12-CC-000021A system restore point must be created when a new device driver is installed.<VulnDiscussion>A system restore point allows a rollback if an issue is encountered when a new device driver is installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23669-5CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ - -Value Name: DisableSystemRestore - -Type: REG_DWORD -Value: 0Device Install – Generic Driver Error Report<GroupDescription></GroupDescription>WN12-CC-000020An Error Report must not be sent when a generic device driver is installed.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents an error report from being sent when a generic device driver is installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23275-1CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Do not send a Windows error report when a generic driver is installed on a device" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ - -Value Name: DisableSendGenericDriverNotFoundToWER - -Type: REG_DWORD -Value: 1Driver Install – Device Driver Search Prompt<GroupDescription></GroupDescription>WN12-CC-000026Users must not be prompted to search Windows Update for device drivers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents users from being prompted to search Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24804-7CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Driver Installation -> "Turn off Windows Update device driver search prompt" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ - -Value Name: DontPromptForWindowsUpdate - -Type: REG_DWORD -Value: 1Handwriting Recognition Error Reporting<GroupDescription></GroupDescription>WN12-CC-000035Errors in handwriting recognition on tablet PCs must not be reported to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents errors in handwriting recognition on tablet PCs from being reported to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25580-2CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off handwriting recognition error reporting" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\HandwritingErrorReports\ - -Value Name: PreventHandwritingErrorReports - -Type: REG_DWORD -Value: 1Power Mgmt – Password Wake on Battery<GroupDescription></GroupDescription>WN12-CC-000054Users must be prompted to authenticate on resume from sleep (on battery).<VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23998-8CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (on battery)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ - -Value Name: DCSettingIndex - -Type: REG_DWORD -Value: 1Power Mgmt – Password Wake When Plugged In<GroupDescription></GroupDescription>WN12-CC-000055The user must be prompted to authenticate on resume from sleep (plugged in).<VulnDiscussion>Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23698-4CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (plugged in)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ - -Value Name: ACSettingIndex - -Type: REG_DWORD -Value: 1Remote Assistance – Session Logging<GroupDescription></GroupDescription>WN12-CC-000062Remote Assistance log files must be generated.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. This setting will turn on session logging for Remote Assistance connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24603-3CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Assistance -> "Turn on session logging" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: LoggingEnabled - -Type: REG_DWORD -Value: 1Windows Explorer – Heap Termination<GroupDescription></GroupDescription>WN12-CC-000090Turning off File Explorer heap termination on corruption must be disabled.<VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23913-7CCI-002385Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off heap termination on corruption" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoHeapTerminationOnCorruption - -Type: REG_DWORD -Value: 0Media DRM – Internet Access<GroupDescription></GroupDescription>WN12-CC-000120Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This check verifies that Windows Media DRM will be prevented from accessing the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24380-8CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Digital Rights Management -> "Prevent Windows Media DRM Internet Access" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\WMDRM\ - -Value Name: DisableOnline - -Type: REG_DWORD -Value: 1User Network Sharing<GroupDescription></GroupDescription>WN12-UC-000012Users must be prevented from sharing files in their profiles.<VulnDiscussion>Allowing users to share files in their profiles may provide unauthorized access or result in the exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24063-0CCI-000366Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Network Sharing -> "Prevent users from sharing files within their profile" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: NoInPlaceSharing - -Type: REG_DWORD -Value: 1Software Certificate Installation Files<GroupDescription></GroupDescription>WN12-GE-000020Software certificate installation files must be removed from Windows 2012/2012 R2.<VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Remove any certificate installation files (*.p12 and *.pfx) found on a system. - -This does not apply to server-based applications that have a requirement for certificate files, Adobe PreFlight certificate files, or non-certificate installation files with the same extension.Search all drives for *.p12 and *.pfx files. - -If any files with these extensions exist, this is a finding. - -This does not apply to server-based applications that have a requirement for certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.UAC - UIAccess Secure Desktop<GroupDescription></GroupDescription>WN12-SO-000086UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECCD-1, ECCD-2</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23295-9CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: EnableUIADesktopToggle - -Value Type: REG_DWORD -Value: 0TS/RDS – COM Port Redirection<GroupDescription></GroupDescription>WN12-CC-000132Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).<VulnDiscussion>Preventing the redirection of Remote Desktop session data to a client computer's COM ports helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24625-6CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow COM port redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fDisableCcm - -Type: REG_DWORD -Value: 1TS/RDS – LPT Port Redirection<GroupDescription></GroupDescription>WN12-CC-000133Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).<VulnDiscussion>Preventing the redirection of Remote Desktop session data to a client computer's LPT ports helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24381-6CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow LPT port redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fDisableLPT - -Type: REG_DWORD -Value: 1TS/RDS - PNP Device Redirection<GroupDescription></GroupDescription>WN12-CC-000135Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).<VulnDiscussion>Preventing the redirection of Plug and Play devices in Remote Desktop sessions helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24708-0CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow supported Plug and Play device redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fDisablePNPRedir - -Type: REG_DWORD -Value: 1TS/RDS – Smart Card Device Redirection<GroupDescription></GroupDescription>WN12-CC-000134The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).<VulnDiscussion>Enabling the redirection of smart card devices allows their use within Remote Desktop sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24260-2CCI-002314Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow smart card device redirection" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: fEnableSmartCard - -Type: REG_DWORD -Value: 1UAC - Application Elevations<GroupDescription></GroupDescription>WN12-SO-000081Windows must elevate all applications in User Account Control, not just signed ones.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures whether Windows elevates all applications, or only signed ones.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23880-8CCI-001084UAC requirements are NA on Server Core installations. - -Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate executables that are signed and validated" to "Disabled".UAC requirements are NA on Server Core installations. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: ValidateAdminCodeSignatures - -Value Type: REG_DWORD -Value: 0Windows Customer Experience Improvement Program <GroupDescription></GroupDescription>WN12-CC-000045The Windows Customer Experience Improvement Program must be disabled.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting ensures the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24082-0CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Windows Customer Experience Improvement Program" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\SQMClient\Windows\ - -Value Name: CEIPEnable - -Type: REG_DWORD -Value: 0Help Experience Improvement Program <GroupDescription></GroupDescription>WN12-UC-000007The Windows Help Experience Improvement Program must be disabled.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting ensures the Windows Help Experience Improvement Program is disabled to prevent information from being passed to the vendor.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24925-0CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Experience Improvement Program" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ - -Value Name: NoImplicitFeedback - -Type: REG_DWORD -Value: 1Help Ratings<GroupDescription></GroupDescription>WN12-UC-000008Windows Help Ratings feedback must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting ensures users cannot provide ratings feedback to Microsoft for Help content.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25470-6CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Ratings" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Policies\Microsoft\Assistance\Client\1.0\ - -Value Name: NoExplicitFeedback - -Type: REG_DWORD -Value: 1User Right - Debug Programs<GroupDescription></GroupDescription>WN12-UR-000016The Debug programs user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23648-9CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding: - -Administrators - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).SPN Target Name Validation Level<GroupDescription></GroupDescription>WN12-SO-000035The service principal name (SPN) target name validation level must be turned off.<VulnDiscussion>If a service principle name (SPN) is provided by the client, it is validated against the server's list of SPNs. Implementation may disrupt file and print sharing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24502-7CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Server SPN target name validation level" to "Off".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\LanmanServer\Parameters\ - -Value Name: SmbServerNameHardeningLevel - -Type: REG_DWORD -Value: 0Computer Identity Authentication for NTLM<GroupDescription></GroupDescription>WN12-SO-000061Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.<VulnDiscussion>Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously vs. using the computer identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25508-3CCI-000778Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\LSA\ - -Value Name: UseMachineId - -Type: REG_DWORD -Value: 1NTLM NULL Session Fallback<GroupDescription></GroupDescription>WN12-SO-000062NTLM must be prevented from falling back to a Null session.<VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25531-5CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\LSA\MSV1_0\ - -Value Name: allownullsessionfallback - -Type: REG_DWORD -Value: 0PKU2U Online Identities Authentication<GroupDescription></GroupDescription>WN12-SO-000063PKU2U authentication using online identities must be prevented.<VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25299-9CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\LSA\pku2u\ - -Value Name: AllowOnlineID - -Type: REG_DWORD -Value: 0Kerberos Encryption Types<GroupDescription></GroupDescription>WN12-SO-000064Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.<VulnDiscussion>Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. - -Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24147-1CCI-000803Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: - -AES128_HMAC_SHA1 -AES256_HMAC_SHA1 -Future encryption types - -Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ - -Value Name: SupportedEncryptionTypes - -Value Type: REG_DWORD -Value: 0x7ffffff8 (2147483640) - -Note: Removing the previously allowed RC4_HMAC_MD5 encryption suite may have operational impacts and must be thoroughly tested for the environment before changing. This includes but is not limited to parent\child trusts where RC4 is still enabled; selecting "The other domain supports Kerberos AES Encryption" may be required on the domain trusts to allow client communication across the trust relationship.IPv6 Source Routing<GroupDescription></GroupDescription>WN12-SO-000037IPv6 source routing must be configured to the highest protection level.<VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24452-5CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Highest protection, source routing is completely disabled". - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ - -Value Name: DisableIPSourceRouting - -Type: REG_DWORD -Value: 2IPv6 TCP Data Retransmissions<GroupDescription></GroupDescription>WN12-SO-000047IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.<VulnDiscussion>Configuring Windows to limit the number of times that IPv6 TCP retransmits unacknowledged data segments before aborting the attempt helps prevent resources from becoming exhausted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25202-3CCI-002385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" to "3" or less. - -(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ - -Value Name: TcpMaxDataRetransmissions - -Value Type: REG_DWORD -Value: 3 (or less)Elevate when setting a network’s location<GroupDescription></GroupDescription>WN12-CC-000005Domain users must be required to elevate when setting a networks location.<VulnDiscussion>Selecting an incorrect network location may allow greater exposure of a system. Elevation is required by default on nondomain systems to change network location. This setting configures elevation to also be required on domain-joined systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23388-2CCI-001084Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Require domain users to elevate when setting a network's location" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Network Connections\ - -Value Name: NC_StdDomainUserSetLocation - -Type: REG_DWORD -Value: 1Direct Access – Route Through Internal Network<GroupDescription></GroupDescription>WN12-CC-000006All Direct Access traffic must be routed through the internal network.<VulnDiscussion>Routing all Direct Access traffic through the internal network allows monitoring and prevents split tunneling.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25221-3CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Route all traffic through the internal network" to "Enabled: Enabled State".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ - -Value Name: Force_Tunneling - -Type: REG_SZ -Value: EnabledWindows Update Point and Print Driver Search<GroupDescription></GroupDescription>WN12-CC-000016Windows Update must be prevented from searching for point and print drivers.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting will prevent Windows from searching Windows Update for point and print drivers. Only the local driver store and server driver cache will be searched.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24139-8CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Printers -> "Extend Point and Print connection to search Windows Update" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Printers\ - -Value Name: DoNotInstallCompatibleDriverFromWindowsUpdate - -Type: REG_DWORD -Value: 1Prevent device metadata retrieval from Internet<GroupDescription></GroupDescription>WN12-CC-000022Device metadata retrieval from the Internet must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting will prevent Windows from retrieving device metadata from the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24165-3CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Installation >> "Prevent device metadata retrieval from the Internet" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Device Metadata\ - -Value Name: PreventDeviceMetadataFromNetwork - -Value Type: REG_DWORD -Value: 1Prevent Windows Update for device driver search<GroupDescription></GroupDescription>WN12-CC-000024Device driver searches using Windows Update must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting will prevent the system from searching Windows Update for device drivers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24777-5CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Specify search order for device driver source locations" to "Enabled: Do not search Windows Update".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ - -Value Name: SearchOrderConfig - -Type: REG_DWORD -Value: 0MSDT Interactive Communication<GroupDescription></GroupDescription>WN12-CC-000066Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents the MSDT from communicating with and sending collected data to Microsoft, the default support provider.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23633-1CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Microsoft Support Diagnostic Tool -> "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ - -Value Name: DisableQueryRemoteServer - -Type: REG_DWORD -Value: 0Windows Online Troubleshooting Service<GroupDescription></GroupDescription>WN12-CC-000067Access to Windows Online Troubleshooting Service (WOTS) must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents users from searching troubleshooting content on Microsoft servers. Only local content will be available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24776-7CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics -> "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\ - -Value Name: EnableQueryRemoteServer - -Type: REG_DWORD -Value: 0Disable PerfTrack<GroupDescription></GroupDescription>WN12-CC-000068Responsiveness events must be prevented from being aggregated and sent to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting prevents responsiveness events from being aggregated and sent to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25080-3CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Windows Performance PerfTrack -> "Enable/Disable PerfTrack" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ - -Value Name: ScenarioExecutionEnabled - -Type: REG_DWORD -Value: 0Application Compatibility Program Inventory<GroupDescription></GroupDescription>WN12-CC-000071The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25331-0CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility -> "Turn off Inventory Collector" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ - -Value Name: DisableInventory - -Type: REG_DWORD -Value: 1Autoplay for non-volume devices<GroupDescription></GroupDescription>WN12-CC-000072Autoplay must be turned off for non-volume devices.<VulnDiscussion>Allowing Autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable Autoplay for non-volume devices (such as Media Transfer Protocol (MTP) devices).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24715-5CCI-001764Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Disallow Autoplay for non-volume devices" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoAutoplayfornonVolume - -Type: REG_DWORD -Value: 1Explorer Data Execution Prevention<GroupDescription></GroupDescription>WN12-CC-000089Explorer Data Execution Prevention must be enabled.<VulnDiscussion>Data Execution Prevention (DEP) provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25147-0CCI-002824Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off Data Execution Prevention for Explorer" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoDataExecutionPrevention - -Type: REG_DWORD -Value: 0Default Autorun Behavior<GroupDescription></GroupDescription>WN12-CC-000073The default Autorun behavior must be configured to prevent Autorun commands.<VulnDiscussion>Allowing Autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents Autorun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25487-0CCI-001764Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies -> "Set the default behavior for AutoRun" to "Enabled:Do not execute any autorun commands".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ - -Value Name: NoAutorun - -Type: REG_DWORD -Value: 1Winlogon Registry Permissions<GroupDescription></GroupDescription>WN12-RG-000001Standard user accounts must only have Read permissions to the Winlogon registry key.<VulnDiscussion>Permissions on the Winlogon registry key must only allow privileged accounts to change registry values. If standard users have these permissions, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002235Maintain permissions at least as restrictive as the defaults listed below for the "WinLogon" registry key. It is recommended to not change the permissions from the defaults. - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -The following are the same for each permission listed: -Type - Allow -Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion -Applies to - This key and subkeys - -Columns: Principal - Access -TrustedInstaller - Full Control -SYSTEM - Full Control -Administrators - Full Control -Users - Read -ALL APPLICATION PACKAGES - ReadRun "Regedit". -Navigate to the following registry key: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Right-click on "WinLogon" and select "Permissions…". -Select "Advanced". - -If the permissions are not as restrictive as the defaults listed below, this is a finding. - -The following are the same for each permission listed: -Type - Allow -Inherited from - MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion -Applies to - This key and subkeys - -Columns: Principal - Access -TrustedInstaller - Full Control -SYSTEM - Full Control -Administrators - Full Control -Users - Read -ALL APPLICATION PACKAGES - ReadRestrict Anonymous SAM Enumeration<GroupDescription></GroupDescription>WN12-SO-000051Anonymous enumeration of SAM accounts must not be allowed.<VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous log on users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23082-1CCI-000366Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Control\Lsa\ - -Value Name: RestrictAnonymousSAM - -Value Type: REG_DWORD -Value: 1Legal Banner Dialog Box Title<GroupDescription></GroupDescription>WN12-SO-000023The Windows dialog box title for the legal banner must be configured.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24020-0CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. - -If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LegalNoticeCaption - -Value Type: REG_SZ -Value: See message title options below - -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or a site-defined equivalent. - -If a site-defined title is used, it can in no case contravene or modify the language of the banner text required in V-1089. - -Automated tools may only search for the titles defined above. If a site-defined title is used, a manual review will be required.Access Credential Manager as a trusted caller<GroupDescription></GroupDescription>WN12-UR-000001The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25683-4CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.Access this computer from the network<GroupDescription></GroupDescription>WN12-UR-000002-MSThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Access this computer from the network" user right may access resources on the system, and must be limited to those that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24938-3CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to only include the following accounts or groups: - -Administrators -Authenticated UsersVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding: - -Administrators -Authenticated Users - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (V-36661) and required changes frequency (V-36662).Allow log on locally<GroupDescription></GroupDescription>WN12-UR-000005The Allow log on locally user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25228-8CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: - -Administrators - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Allow log on through Remote Desktop Services<GroupDescription></GroupDescription>WN12-UR-000006-MSThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group and other approved groups.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Allow log on through Remote Desktop Services" user right can access a system through Remote Desktop.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24406-1CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to only include the following accounts or groups: - -Administrators - -If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included. - -Organizations may grant this to other groups, such as more restrictive groups with administrative or management functions, if required. Remote Desktop Services access must be restricted to the accounts that require it. This must be documented with the ISSO.Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding: - -Administrators - -If the system serves the Remote Desktop Services role, the Remote Desktop Users group or another more restrictive group may be included. - -Organizations may grant this to other groups, such as more restrictive groups with administrative or management functions, if required. Remote Desktop Services access must be restricted to the accounts that require it. This must be documented with the ISSO.Back up files and directories<GroupDescription></GroupDescription>WN12-UR-000007The Back up files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25380-7CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: - -Administrators - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Create a pagefile<GroupDescription></GroupDescription>WN12-UR-000011The Create a pagefile user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23972-3CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: - -AdministratorsCreate a token object<GroupDescription></GroupDescription>WN12-UR-000012The Create a token object user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23939-2CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups are granted the "Create a token object" user right, this is a finding. - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Create global objects<GroupDescription></GroupDescription>WN12-UR-000013The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23850-1CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to only include the following accounts or groups: - -Administrators -Service -Local Service -Network ServiceVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: - -Administrators -Service -Local Service -Network Service - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Create permanent shared objects<GroupDescription></GroupDescription>WN12-UR-000014The Create permanent shared objects user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23723-0CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.Create symbolic links<GroupDescription></GroupDescription>WN12-UR-000015The Create symbolic links user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Create symbolic links" user right can create pointers to other objects, which could potentially expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24549-8CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to only include the following accounts or groups: - -Administrators - -Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines".Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: - -Administrators - -Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines"). This is not a finding.Deny log on as a batch job<GroupDescription></GroupDescription>WN12-UR-000018-MSThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job such, as Task Scheduler. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. - -The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25215-5CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a batch job" to include the following: - -Domain Systems Only: -Enterprise Admins Group -Domain Admins Group - -All Systems: -Guests GroupVerify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. - -If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding: - -Domain Systems Only: -Enterprise Admins Group -Domain Admins Group - -All Systems: -Guests GroupDeny log on as service <GroupDescription></GroupDescription>WN12-UR-000019-MSThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on as a service" user right defines accounts that are denied log on as a service. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. - -Incorrect configurations could prevent services from starting and result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23117-5CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a service" to include the following for domain-joined systems: - -Enterprise Admins Group -Domain Admins Group - -Configure the "Deny log on as a service" for nondomain systems to include no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. - -If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding: - -Enterprise Admins Group -Domain Admins Group - -If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding.Deny log on locally<GroupDescription></GroupDescription>WN12-UR-000020-MSThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24460-8CCI-000213Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on locally" to include the following: - -Domain Systems Only: -Enterprise Admins Group -Domain Admins Group - -All Systems: -Guests GroupVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. - -If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding: - -Domain Systems Only: -Enterprise Admins Group -Domain Admins Group - -All Systems: -Guests GroupDeny log on through Remote Desktop \ Terminal Services<GroupDescription></GroupDescription>WN12-UR-000021-MSThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems, and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks which could lead to the compromise of an entire domain. - -Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23273-6CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -Local account (see Note below) - -All Systems: -Guests group - -Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. -Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: - -Domain Systems Only: -Enterprise Admins group -Domain Admins group -Local account (see Note below) - -All Systems: -Guests group - -Note: Windows Server 2012 R2 added new built-in security groups, including "Local account", for assigning permissions and rights to all local accounts. -Microsoft Security Advisory Patch 2871997 adds the new security groups to Windows Server 2012.Enable accounts to be trusted for delegation<GroupDescription></GroupDescription>WN12-UR-000022-MSUnauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on member servers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could potentially allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25270-0CCI-002235Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment. - -If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.Force shutdown from a remote system<GroupDescription></GroupDescription>WN12-UR-000023The Force shutdown from a remote system user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system, which could result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24734-6CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: - -AdministratorsGenerate security audits<GroupDescription></GroupDescription>WN12-UR-000024The Generate security audits user right must only be assigned to Local Service and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Generate security audits" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24048-1CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to only include the following accounts or groups: - -Local Service -Network ServiceVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: - -Local Service -Network Service - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Impersonate a client after authentication<GroupDescription></GroupDescription>WN12-UR-000025The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Impersonate a client after authentication" user right allows a program to impersonate another user or account to run on their behalf. An attacker could potentially use this to elevate privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24477-2CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to only include the following accounts or groups: - -Administrators -Service -Local Service -Network ServiceVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding: - -Administrators -Service -Local Service -Network Service - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Increase scheduling priority<GroupDescription></GroupDescription>WN12-UR-000027The Increase scheduling priority user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Increase scheduling priority" user right can change a scheduling priority causing performance issues or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24911-0CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding: - -Administrators - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Load and unload device drivers<GroupDescription></GroupDescription>WN12-UR-000028The Load and unload device drivers user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Load and unload device drivers" user right allows device drivers to dynamically be loaded on a system by a user. This could potentially be used to install malicious code by an attacker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24779-1CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding: - -AdministratorsLock pages in memory<GroupDescription></GroupDescription>WN12-UR-000029The Lock pages in memory user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23829-5CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Manage auditing and security log<GroupDescription></GroupDescription>WN12-UR-000032The Manage auditing and security log user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23456-7CCI-000162CCI-000163CCI-000164CCI-000171CCI-001914Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding: - -Administrators - -If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Modify firmware environment values<GroupDescription></GroupDescription>WN12-UR-000034The Modify firmware environment values user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Modify firmware environment values" user right can change hardware configuration environment variables. This could result in hardware failures or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25533-1CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to only include the following accounts or groups: - -Administrators -Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding: - -AdministratorsPerform volume maintenance tasks<GroupDescription></GroupDescription>WN12-UR-000035The Perform volume maintenance tasks user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. They could potentially delete volumes, resulting in data loss or a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25070-4CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding: - -AdministratorsProfile single process<GroupDescription></GroupDescription>WN12-UR-000036The Profile single process user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Profile single process" user right can monitor nonsystem processes performance. An attacker could potentially use this to identify processes to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23844-4CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding: - -AdministratorsRestore files and directories<GroupDescription></GroupDescription>WN12-UR-000040The Restore files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to overwrite more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25518-2CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding: - -Administrators - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Take ownership of files or other objects<GroupDescription></GroupDescription>WN12-UR-000042The Take ownership of files or other objects user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25585-1CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to only include the following accounts or groups: - -AdministratorsVerify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding: - -Administrators - -If an application requires this user right, this would not be a finding. - -Vendor documentation must support the requirement for having the user right. - -The requirement must be documented with the ISSO. - -The application account must meet requirements for application account passwords, such as length (WN12-00-000010) and required frequency of changes (WN12-00-000011).Audit - Credential Validation - Success<GroupDescription></GroupDescription>WN12-AU-000001The system must be configured to audit Account Logon - Credential Validation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> "Audit Credential Validation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Account Logon -> Credential Validation - SuccessAudit - Credential Validation - Failure<GroupDescription></GroupDescription>WN12-AU-000002The system must be configured to audit Account Logon - Credential Validation failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Credential validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Logon -> "Audit Credential Validation" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Account Logon -> Credential Validation - FailureAudit - Other Account Management Events - Success<GroupDescription></GroupDescription>WN12-AU-000015The system must be configured to audit Account Management - Other Account Management Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Other Account Management Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Account Management -> Other Account Management Events - SuccessAudit - Security Group Management - Success<GroupDescription></GroupDescription>WN12-AU-000017The system must be configured to audit Account Management - Security Group Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit Security Group Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Account Management -> Security Group Management - SuccessAudit - User Account Management - Success<GroupDescription></GroupDescription>WN12-AU-000019The system must be configured to audit Account Management - User Account Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit User Account Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Account Management -> User Account Management - SuccessAudit - User Account Management - Failure<GroupDescription></GroupDescription>WN12-AU-000020The system must be configured to audit Account Management - User Account Management failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management -> "Audit User Account Management" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Account Management -> User Account Management - FailureAudit - Process Creation - Success<GroupDescription></GroupDescription>WN12-AU-000023The system must be configured to audit Detailed Tracking - Process Creation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Process Creation records events related to the creation of a process and the source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> "Audit Process Creation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Detailed Tracking -> Process Creation - SuccessAudit - Logoff - Success<GroupDescription></GroupDescription>WN12-AU-000045The system must be configured to audit Logon/Logoff - Logoff successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000067CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logoff" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Logon/Logoff -> Logoff - SuccessAudit - Logon - Success<GroupDescription></GroupDescription>WN12-AU-000047The system must be configured to audit Logon/Logoff - Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000067CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Logon/Logoff -> Logon - SuccessAudit - Logon - Failure<GroupDescription></GroupDescription>WN12-AU-000048The system must be configured to audit Logon/Logoff - Logon failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000067CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Logon/Logoff -> Logon - FailureAudit - Special Logon - Success<GroupDescription></GroupDescription>WN12-AU-000053The system must be configured to audit Logon/Logoff - Special Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Special Logon records special logons which have administrative privileges and can be used to elevate processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Logon/Logoff -> "Audit Special Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Logon/Logoff -> Special Logon - SuccessAudit - Audit Policy Change - Success<GroupDescription></GroupDescription>WN12-AU-000085The system must be configured to audit Policy Change - Audit Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Policy Change -> Audit Policy Change - SuccessAudit - Audit Policy Change - Failure<GroupDescription></GroupDescription>WN12-AU-000086The system must be configured to audit Policy Change - Audit Policy Change failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Policy Change -> Audit Policy Change - FailureAudit - Authentication Policy Change - Success<GroupDescription></GroupDescription>WN12-AU-000087The system must be configured to audit Policy Change - Authentication Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Authentication Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Policy Change -> Authentication Policy Change - SuccessAudit - Sensitive Privilege Use - Success<GroupDescription></GroupDescription>WN12-AU-000101The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Privilege Use -> Sensitive Privilege Use - SuccessAudit - Sensitive Privilege Use - Failure<GroupDescription></GroupDescription>WN12-AU-000102The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Privilege Use -> Sensitive Privilege Use - FailureAudit - IPSec Driver - Success<GroupDescription></GroupDescription>WN12-AU-000103The system must be configured to audit System - IPsec Driver successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPsec Driver records events related to the IPSec Driver such as dropped packets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit IPsec Driver" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -System -> IPsec Driver - SuccessAudit - IPSec Driver - Failure<GroupDescription></GroupDescription>WN12-AU-000104The system must be configured to audit System - IPsec Driver failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPsec Driver records events related to the IPsec Driver such as dropped packets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit IPsec Driver" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -System -> IPsec Driver - FailureAudit - Security State Change - Success<GroupDescription></GroupDescription>WN12-AU-000107The system must be configured to audit System - Security State Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security State Change records events related to changes in the security state, such as startup and shutdown of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security State Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -System -> Security State Change - SuccessAudit - Security System Extension - Success<GroupDescription></GroupDescription>WN12-AU-000109The system must be configured to audit System - Security System Extension successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security System Extension records events related to extension code being loaded by the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit Security System Extension" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -System -> Security System Extension - SuccessAudit - System Integrity - Success<GroupDescription></GroupDescription>WN12-AU-000111The system must be configured to audit System - System Integrity successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -System -> System Integrity - SuccessAudit - System Integrity - Failure<GroupDescription></GroupDescription>WN12-AU-000112The system must be configured to audit System - System Integrity failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> System -> "Audit System Integrity" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -System -> System Integrity - Failure6to4 State<GroupDescription></GroupDescription>WN12-CC-000007The 6to4 IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24732-0CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set 6to4 State" to "Enabled: Disabled State".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ - -Value Name: 6to4_State - -Type: REG_SZ -Value: DisabledIP-HTTPS State<GroupDescription></GroupDescription>WN12-CC-000008The IP-HTTPS IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25651-1CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set IP-HTTPS State" to "Enabled: Disabled State". - -Note: "IPHTTPS URL:" must be entered in the policy even if set to Disabled State. Enter "about:blank".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\ - -Value Name: IPHTTPS_ClientState - -Type: REG_DWORD -Value: 3ISATAP State<GroupDescription></GroupDescription>WN12-CC-000009The ISATAP IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25249-4CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set ISATAP State" to "Enabled: Disabled State".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ - -Value Name: ISATAP_State - -Type: REG_SZ -Value: DisabledTeredo State<GroupDescription></GroupDescription>WN12-CC-000010The Teredo IPv6 transition technology must be disabled.<VulnDiscussion>IPv6 transition technologies, which tunnel packets through other protocols, do not provide visibility.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25571-1CCI-000382Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies -> "Set Teredo State" to "Enabled: Disabled State".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ - -Value Name: Teredo_State - -Type: REG_SZ -Value: DisabledMaximum Log Size - Application<GroupDescription></GroupDescription>WN12-CC-000084The Application event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24277-6CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ - -Value Name: MaxSize - -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater)Maximum Log Size - Security<GroupDescription></GroupDescription>WN12-CC-000085The Security event log size must be configured to 196608 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24572-0CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater.If the system is configured to write events directly to an audit server, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ - -Value Name: MaxSize - -Type: REG_DWORD -Value: 0x00030000 (196608) (or greater)Maximum Log Size - Setup<GroupDescription></GroupDescription>WN12-CC-000086The Setup event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23743-8CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Setup >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\ - -Value Name: MaxSize - -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater)Maximum Log Size - System<GroupDescription></GroupDescription>WN12-CC-000087The System event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24411-1CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ - -Value Name: MaxSize - -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater)Fax Service Disabled <GroupDescription></GroupDescription>WN12-SV-000100The Fax service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25383-1CCI-000381Remove or disable the Fax (fax) service.Verify the Fax (fax) service is not installed or is disabled. - -Run "Services.msc". - -If the following is installed and not disabled, this is a finding: - -Fax (fax)Microsoft FTP Service Disabled<GroupDescription></GroupDescription>WN12-SV-000101The Microsoft FTP service must not be installed unless required.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23863-4CCI-000382Remove or disable the "Microsoft FTP Service" (Service name: FTPSVC). - -To remove the "FTP Server" role from a system: -Start "Server Manager" -Select the server with the "FTP Server" role. -Scroll down to "ROLES AND FEATURES" in the left pane. -Select "Remove Roles and Features" from the drop down "TASKS" list. -Select the appropriate server on the "Server Selection" page, click "Next". -De-select "FTP Server" under "Web Server (IIS). -Click "Next" and "Remove" as prompted.If the server has the role of an FTP server, this is NA. - -Run "Services.msc". - -If the "Microsoft FTP Service" (Service name: FTPSVC) is installed and not disabled, this is a finding.Peer Networking Identity Manager Service Disabled<GroupDescription></GroupDescription>WN12-SV-000103The Peer Networking Identity Manager service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24910-2CCI-000381Remove or disable the Peer Networking Identity Manager (p2pimsvc) service.Verify the Peer Network Identity Manager (p2pimsvc) service is not installed or is disabled. - -Run "Services.msc". - -If the following is installed and not disabled, this is a finding: - -Peer Networking Identity Manager (p2pimsvc)Simple TCP/IP Services Disabled<GroupDescription></GroupDescription>WN12-SV-000104The Simple TCP/IP Services service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23748-7CCI-000381Remove or disable the Simple TCP/IP Services (simptcp) service.Verify the Simple TCP/IP (simptcp) service is not installed or is disabled. - -Run "Services.msc". - -If the following is installed and not disabled, this is a finding: - -Simple TCP/IP Services (simptcp)Telnet Service Disabled<GroupDescription></GroupDescription>WN12-SV-000105The Telnet service must be disabled if installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24474-9CCI-000382Remove or disable the Telnet (tlntsvr) service.Verify the Telnet (tlntsvr) service is not installed or is disabled. - -Run "Services.msc". - -If the following is installed and not disabled, this is a finding: - -Telnet (tlntsvr)Device Install Software Request Error Report<GroupDescription></GroupDescription>WN12-CC-000023Windows must be prevented from sending an error report when a device driver requests additional software during installation.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system. -This setting will prevent Windows from sending an error report to Microsoft when a device driver requests additional software during installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24685-0CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Prevent Windows from sending an error report when a device driver requests additional software during installation" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ - -Value Name: DisableSendRequestAdditionalSoftwareToWER - -Type: REG_DWORD -Value: 1WINPK-000001<GroupDescription></GroupDescription>WN12-PK-000001The DoD Root CA certificates must be installed in the Trusted Root Store.<VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000185CCI-002470Install the DoD Root CA certificates. -DoD Root CA 2 -DoD Root CA 3 -DoD Root CA 4 -DoD Root CA 5 - -The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the DoD Root CA certificates are installed as Trusted Root Certification Authorities. - -The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter - -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. - -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 -NotAfter: 12/5/2029 - -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB -NotAfter: 12/30/2029 - -Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 -NotAfter: 7/25/2032 - -Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B -NotAfter: 6/14/2041 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". - -For each of the DoD Root CA certificates noted below: - -Right-click on the certificate and select "Open". - -Select the "Details" Tab. - -Scroll to the bottom and select "Thumbprint". - -If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -DoD Root CA 2 -Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 -Valid to: Wednesday, December 5, 2029 - -DoD Root CA 3 -Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB -Valid to: Sunday, December 30, 2029 - -DoD Root CA 4 -Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 -Valid to: Sunday, July 25, 2032 - -DoD Root CA 5 -Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B -Valid to: Friday, June 14, 2041WINPK-000003<GroupDescription></GroupDescription>WN12-PK-000003The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000185CCI-002470Install the DoD Interoperability Root CA cross-certificates on unclassified systems. - -Issued To - Issued By - Thumbprint -DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F -DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 - -The certificates can be installed using the InstallRoot tool. The tool and user guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. - -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -NotAfter: 9/6/2019 - -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 -NotAfter: 1/22/2022 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". - -For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" Tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -Issued To: DoD Root CA 2 -Issued By: DoD Interoperability Root CA 1 -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -Valid to: Friday, September 6, 2019 - -Issued To: DoD Root CA 3 -Issued By: DoD Interoperability Root CA 2 -Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 -Valid to: Saturday, January 22, 2022WINRG-000001 Active Setup\Installed Components Registry Permissions<GroupDescription></GroupDescription>WN12-RG-000002Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.<VulnDiscussion>Permissions on the Active Setup\Installed Components registry key must only allow privileged accounts to add or change registry values. If standard user accounts have these permissions, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002235Maintain the default permissions of the following registry keys: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ -HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems only) - -Users - Read -Administrators - Full Control -SYSTEM - Full Control -CREATOR OWNER - Full Control (Subkeys only) -ALL APPLICATION PACKAGES - ReadRun "Regedit". -Navigate to the following registry keys and review the permissions: -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ -HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) - -If the default permissions listed below have been changed, this is a finding. - -Users - Read -Administrators - Full Control -SYSTEM - Full Control -CREATOR OWNER - Full Control (Subkeys only) -ALL APPLICATION PACKAGES - ReadAlways Install with Elevated Privileges Disabled<GroupDescription></GroupDescription>WN12-CC-000116The Windows Installer Always install with elevated privileges option must be disabled.<VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23919-4CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Always install with elevated privileges" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Installer\ - -Value Name: AlwaysInstallElevated - -Type: REG_DWORD -Value: 0Local admin accounts filtered token policy enabled on domain systems.<GroupDescription></GroupDescription>WN12-RG-000003-MSLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.<VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. - -With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the system is not a member of a domain, this is NA. -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LocalAccountTokenFilterPolicy - -Type: REG_DWORD -Value: 0x00000000 (0) - -This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to 1 may be required.Accounts with administrative privileges Internet access<GroupDescription></GroupDescription>WN12-00-000008Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.<VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. - -Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy requires administrative accounts to not access the Internet or use applications, such as email. - -The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Technical means such as application whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Establish and enforce a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Implement technical measures where feasible such as removal of applications or use of application whitelisting to restrict the use of applications that can access the Internet.Determine whether administrative accounts are prevented from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. - -The organization must have a policy that prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Technical measures such as the removal of applications or application whitelisting must be used where feasible to prevent the use of applications that access the Internet. - -If accounts with administrative privileges are not prevented from using applications that access the Internet or with potential Internet sources, this is a finding.WINUC-000001<GroupDescription></GroupDescription>WN12-UC-000001A screen saver must be enabled on the system.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24055-6CCI-000060Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Enable screen saver" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ - -Value Name: ScreenSaveActive - -Type: REG_SZ -Value: 1 - -Applications requiring continuous, real-time screen display (e.g., network management products) require the following and must be documented with the ISSO: - --The logon session does not have administrator rights. --The display station (e.g., keyboard, monitor, etc.) is located in a controlled access area.WINUC-000003<GroupDescription></GroupDescription>WN12-UC-000003The screen saver must be password protected.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked when unattended. Enabling a password-protected screen saver to engage after a specified period of time helps protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>PESL-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24680-1CCI-000056Configure the policy value for User Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Password protect the screen saver" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \Software\Policies\Microsoft\Windows\Control Panel\Desktop\ - -Value Name: ScreenSaverIsSecure - -Type: REG_SZ -Value: 1WIN00-000005-01<GroupDescription></GroupDescription>WN12-00-000004Users with administrative privilege must be documented.<VulnDiscussion>Administrative accounts may perform any action on a system. Users with administrative accounts must be documented to ensure those with this level of access are clearly identified.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Create the necessary documentation that identifies the members of the Administrators group.Review the necessary documentation that identifies the members of the Administrators group. If a list of all users belonging to the Administrators group is not maintained with the ISSO, this is a finding.WIN00-000005-02<GroupDescription></GroupDescription>WN12-00-000005Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.<VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECLP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. - -If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.WIN00-000010-01<GroupDescription></GroupDescription>WN12-00-000010Policy must require application account passwords be at least 15 characters in length.<VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>IAIA-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000205Establish a site policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced.Verify the site has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. If such a policy does not exist or has not been implemented, this is a finding.WIN00-000010-02<GroupDescription></GroupDescription>WN12-00-000011Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.<VulnDiscussion>Setting application accounts to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. - -It is recommended that system-managed service accounts be used where possible.Determine if manually managed application/service accounts exist. If none exist, this is NA. - -If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. - -Identify manually managed application/service accounts. - -To determine the date a password was last changed: - -Domain controllers: - -Open "Windows PowerShell". - -Enter "Get-ADUser -Identity [application account name] -Properties PasswordLastSet | FL Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. - -If the "PasswordLastSet" date is more than one year old, this is a finding. - -Member servers and standalone systems: - -Open "Windows PowerShell" or "Command Prompt". - -Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. - -If the "Password Last Set" date is more than one year old, this is a finding.WIN00-000014<GroupDescription></GroupDescription>WN12-00-000006Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.<VulnDiscussion>If SAs are assigned to systems running operating systems for which they have no training, these systems are at additional risk of unintentional misconfiguration that may result in vulnerabilities or decreased availability of the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECLP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Establish site policy that requires SAs be trained for all operating systems running on systems under their control.Determine whether the site has a policy that requires SAs be trained for all operating systems running on systems under their control. If the site does not have a policy requiring SAs be trained for all operating systems under their control, this is a finding.WINAU-000016<GroupDescription></GroupDescription>WN12-AU-000082The system must be configured to audit Object Access - Removable Storage failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Object Access >> Removable Storage - Failure - -Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.WINAU-000017<GroupDescription></GroupDescription>WN12-AU-000081The system must be configured to audit Object Access - Removable Storage successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Object Access >> Removable Storage - Success - -Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.WINAU-000100<GroupDescription></GroupDescription>WN12-AU-000200Audit data must be reviewed on a regular basis.<VulnDiscussion>To be of value, audit logs from critical systems must be reviewed on a regular basis. Critical systems should be reviewed on a daily basis to identify security breaches and potential weaknesses in the security structure. This can be done with the use of monitoring software or other utilities for this purpose.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAT-1, ECAT-2</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Review audit logs on a predetermined scheduled.Determine whether audit logs are reviewed on a predetermined schedule. If audit logs are not reviewed on a regular basis, this is a finding.WINAU-000101<GroupDescription></GroupDescription>WN12-AU-000201Audit data must be retained for at least one year.<VulnDiscussion>Audit records are essential for investigating system activity after the fact. Retention periods for audit data are determined based on the sensitivity of the data handled by the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECRR-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Ensure the audit data is retained for at least a year.Determine whether audit data is retained for at least one year. If the audit data is not retained for at least a year, this is a finding.WINAU-000102<GroupDescription></GroupDescription>WN12-AU-000203-01Audit records must be backed up onto a different system or media than the system being audited.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001851Establish and implement a process for backing up log data to another system or media other than the system being audited.Determine if a process to back up log data to a different system or media than the system being audited has been implemented. If it has not, this is a finding.WINCC-000011<GroupDescription></GroupDescription>WN12-CC-000011IP stateless autoconfiguration limits state must be enabled.<VulnDiscussion>IP stateless autoconfiguration could configure routes that circumvent preferred routes if not limited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24070-5CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> TCPIP Settings -> Parameters -> "Set IP Stateless Autoconfiguration Limits State" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ - -Value Name: EnableIPAutoConfigurationLimits - -Type: REG_DWORD -Value: 1WINCC-000018<GroupDescription></GroupDescription>WN12-CC-000018Optional component installation and component repair must be prevented from using Windows Update.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Optional component installation or repair must be obtained from an internal source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23727-1CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> "Specify settings for optional component installation and component repair" to "Enabled" and with "Never attempt to download payload from Windows Update" selected.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\Servicing\ - -Value Name: UseWindowsUpdate - -Type: REG_DWORD -Value: 2WINCC-000025<GroupDescription></GroupDescription>WN12-CC-000025Device driver updates must only search managed servers, not Windows Update.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially provide sensitive information outside of the enterprise. Device driver updates must be obtained from an internal source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25002-7CCI-001812Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Specify the search server for device driver updates" to "Enabled" with "Search Managed Server" selected.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\DriverSearching\ - -Value Name: DriverServerSelection - -Type: REG_DWORD -Value: 1WINCC-000027<GroupDescription></GroupDescription>WN12-CC-000027Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.<VulnDiscussion>Compromised boot drivers can introduce malware prior to some protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECVP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25320-3CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Early Launch Antimalware -> "Boot-Start Driver Initialization Policy" to "Enabled" with "Good and Unknown" selected.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \System\CurrentControlSet\Policies\EarlyLaunch\ - -Value Name: DriverLoadPolicy - -Type: REG_DWORD -Value: 1WINCC-000030<GroupDescription></GroupDescription>WN12-CC-000030Access to the Windows Store must be turned off.<VulnDiscussion>Uncontrolled installation of applications can introduce various issues, including system instability, and allow access to sensitive information. Installation of applications must be controlled by the enterprise. Turning off access to the Windows Store will limit access to publicly available applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24981-3CCI-000366If the \Windows\WinStore directory exists, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off access to the Store" to "Enabled". - -Alternately, uninstall the "Desktop Experience" feature from Windows 2012. This is located under "User Interfaces and Infrastructure" in the "Add Roles and Features Wizard". The \Windows\WinStore directory may need to be manually deleted after this.The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ - -Value Name: NoUseStoreOpenWith - -Type: REG_DWORD -Value: 1WINCC-000048<GroupDescription></GroupDescription>WN12-CC-000048Copying of user input methods to the system account for sign-in must be prevented.<VulnDiscussion>Allowing different input methods for sign-in could open different avenues of attack. User input methods must be restricted to those enabled for the system account at sign-in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24401-2CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Locale Services -> "Disallow copying of user input methods to the system account for sign-in" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Control Panel\International\ - -Value Name: BlockUserInputMethodsForSignIn - -Type: REG_DWORD -Value: 1WINCC-000051<GroupDescription></GroupDescription>WN12-CC-000051Local users on domain-joined computers must not be enumerated.<VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23305-6CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Enumerate local users on domain-joined computers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\System\ - -Value Name: EnumerateLocalUsers - -Type: REG_DWORD -Value: 0WINCC-000052<GroupDescription></GroupDescription>WN12-CC-000052App notifications on the lock screen must be turned off.<VulnDiscussion>App notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24092-9CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Turn off app notifications on the lock screen" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\System\ - -Value Name: DisableLockScreenAppNotifications - -Type: REG_DWORD -Value: 1WINCC-000065<GroupDescription></GroupDescription>WN12-CC-000065The detection of compatibility issues for applications and drivers must be turned off.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this feature will prevent potentially sensitive information from being sent outside the enterprise and uncontrolled updates to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24560-5CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Application Compatibility Diagnostics -> "Detect compatibility issues for applications and drivers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\AppCompat\ - -Value Name: DisablePcaUI - -Type: REG_DWORD -Value: 0WINCC-000070<GroupDescription></GroupDescription>WN12-CC-000070Trusted app installation must be enabled to allow for signed enterprise line of business apps.<VulnDiscussion>Enabling trusted app installation allows for enterprise line of business Windows 8 type apps. A trusted app package is one that is signed with a certificate chain that can be successfully validated in the enterprise. Configuring this ensures enterprise line of business apps are accessible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23960-8CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment -> "Allow all trusted apps to install" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\Appx\ - -Value Name: AllowAllTrustedApps - -Type: REG_DWORD -Value: 1WINCC-000075<GroupDescription></GroupDescription>WN12-CC-000075The use of biometrics must be disabled.<VulnDiscussion>Allowing biometrics may bypass required authentication methods. Biometrics may only be used as an additional authentication factor where an enhanced strength of identity credential is necessary or desirable. Additional factors must be met per DoD policy.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>IAIA-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24801-3CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Biometrics -> "Allow the use of biometrics" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Biometrics\ - -Value Name: Enabled - -Type: REG_DWORD -Value: 0WINCC-000076<GroupDescription></GroupDescription>WN12-CC-000076The password reveal button must not be displayed.<VulnDiscussion>Visible passwords may be seen by nearby persons, compromising them. The password reveal button can be used to display an entered password and must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>IAIA-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23228-0CCI-000206Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> "Do not display the password reveal button" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\CredUI\ - -Value Name: DisablePasswordReveal - -Type: REG_DWORD -Value: 1WINCC-000088<GroupDescription></GroupDescription>WN12-CC-000088Windows SmartScreen must be enabled on Windows 2012/2012 R2.<VulnDiscussion>Windows SmartScreen helps protect systems from programs downloaded from the Internet that may be malicious. Warning a user before running downloaded unknown software, at minimum, will help prevent potentially malicious programs from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23531-7CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled" with either "Give user a warning before running downloaded unknown software" or "Require approval from an administrator before running downloaded unknown software" selected. - -Microsoft has changed this setting several times in the Windows 10 administrative templates, which will affect group policies in a domain if later templates are used. - -v1607 of Windows 10 and Windows Server 2016 changed the setting to only Enabled or Disabled without additional selections. Enabled is effectively "Give user a warning…". - -v1703 of Windows 10 or later administrative templates changed the policy name to "Configure Windows Defender SmartScreen", and the selectable options are "Warn" and "Warn and prevent bypass". When either of these are applied to a Windows 2012/2012 R2 system, it will configure the registry equivalent of "Give user a warning…").This is applicable to unclassified systems; for other systems, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: EnableSmartScreen - -Type: REG_DWORD -Value: 0x00000001 (1) (Give user a warning…) -Or 0x00000002 (2) (Require approval…)WINCC-000095<GroupDescription></GroupDescription>WN12-CC-000095The location feature must be turned off.<VulnDiscussion>The location service on systems may allow sensitive data to be used by applications on the system. This should be turned off unless explicitly allowed for approved systems/applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25343-5CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Location and Sensors -> "Turn off location" to "Enabled". - -If location services are approved by the organization for a device, this must be documented.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\LocationAndSensors\ - -Value Name: DisableLocation - -Type: REG_DWORD -Value: 1 (Enabled) - -If location services are approved for the system by the organization, this may be set to "Disabled" (0). This must be documented with the ISSO.WINCC-000106<GroupDescription></GroupDescription>WN12-CC-000106Basic authentication for RSS feeds over HTTP must be turned off.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23213-2CCI-000381Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Turn on Basic feed authentication over HTTP" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Internet Explorer\Feeds\ - -Value Name: AllowBasicAuthInClear - -Type: REG_DWORD -Value: 0WINCC-000109<GroupDescription></GroupDescription>WN12-CC-000109Automatic download of updates from the Windows Store must be turned off.<VulnDiscussion>Uncontrolled system updates can introduce issues to a system. Obtaining update components from an outside source may also potentially allow sensitive information outside of the enterprise. Application updates must be obtained from an internal source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. - -Windows 2012 R2: -Windows 2012 R2 split the original policy that configures this setting into two separate ones. Configuring either one to "Enabled" will update the registry value as identified in the Check section. - -Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> -"Turn off Automatic Download of updates on Win8 machines" or "Turn off Automatic Download and install of updates" to "Enabled". - -Windows 2012: -Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off Automatic Download of updates" to "Enabled".The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. -If the following registry value does not exist or is not configured as specified, this is a finding: - -Windows 2012 R2: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ - -Value Name: AutoDownload - -Type: REG_DWORD -Value: 0x00000002 (2) - -Windows 2012: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\WindowsUpdate\ - -Value Name: AutoDownload - -Type: REG_DWORD -Value: 0x00000002 (2)WINCC-000110<GroupDescription></GroupDescription>WN12-CC-000110The Windows Store application must be turned off.<VulnDiscussion>Uncontrolled installation of applications can introduce various issues, including system instability, and provide access to sensitive information. Installation of applications must be controlled by the enterprise. Turning off access to the Windows Store will limit access to publicly available applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. - -Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Store -> "Turn off the Store application" to "Enabled".The Windows Store is not installed by default. If the \Windows\WinStore directory does not exist, this is NA. -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\WindowsStore\ - -Value Name: RemoveWindowsStore - -Type: REG_DWORD -Value: 1WINCC-000123<GroupDescription></GroupDescription>WN12-CC-000123The Windows Remote Management (WinRM) client must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>IAIA-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24431-9CCI-000877Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ - -Value Name: AllowBasic - -Type: REG_DWORD -Value: 0WINCC-000124<GroupDescription></GroupDescription>WN12-CC-000124The Windows Remote Management (WinRM) client must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23728-9CCI-002890CCI-003123Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ - -Value Name: AllowUnencryptedTraffic - -Type: REG_DWORD -Value: 0WINCC-000125<GroupDescription></GroupDescription>WN12-CC-000125The Windows Remote Management (WinRM) client must not use Digest authentication.<VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>IAIA-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25263-5CCI-000877Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Client -> "Disallow Digest authentication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Client\ - -Value Name: AllowDigest - -Type: REG_DWORD -Value: 0WINCC-000126<GroupDescription></GroupDescription>WN12-CC-000126The Windows Remote Management (WinRM) service must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain text passwords that could be used to compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23637-2CCI-000877Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ - -Value Name: AllowBasic - -Type: REG_DWORD -Value: 0WINCC-000127<GroupDescription></GroupDescription>WN12-CC-000127The Windows Remote Management (WinRM) service must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25102-5CCI-002890CCI-003123Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ - -Value Name: AllowUnencryptedTraffic - -Type: REG_DWORD -Value: 0WINCC-000128<GroupDescription></GroupDescription>WN12-CC-000128The Windows Remote Management (WinRM) service must not store RunAs credentials.<VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECLP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23262-9CCI-002038Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM) -> WinRM Service -> "Disallow WinRM from storing RunAs credentials" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows\WinRM\Service\ - -Value Name: DisableRunAs - -Type: REG_DWORD -Value: 1WINAU-000204<GroupDescription></GroupDescription>WN12-AU-000204Permissions for the Application event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECTP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000162CCI-000163CCI-000164Ensure the permissions on the Application event log (Application.evtx) are configured to prevent standard user accounts or groups from having greater than Read access. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the Application event log (Application.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. - -If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.WINAU-000205<GroupDescription></GroupDescription>WN12-AU-000205Permissions for the Security event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECTP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000162CCI-000163CCI-000164Ensure the permissions on the Security event log (Security.evtx) are configured to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the Security event log (Security.evtx). Standard user accounts or groups must not have access. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. - -If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.WINAU-000206<GroupDescription></GroupDescription>WN12-AU-000206Permissions for the System event log must prevent access by nonprivileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECTP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000162CCI-000163CCI-000164Ensure the permissions on the System event log (System.evtx) are configured to prevent standard user accounts or groups from having greater than Read access. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Verify the permissions on the System event log (System.evtx). Standard user accounts or groups must not have greater than Read access. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS" directory. They may have been moved to another folder. - -If the permissions for these files are not as restrictive as the ACLs listed, this is a finding.WINGE-000027<GroupDescription></GroupDescription>WN12-00-000015User-level information must be backed up in accordance with local recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. - -User-level information is data generated by information system and/or application users. - -Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Implement user-level information backups in accordance with local recovery time and recovery point objectives.Determine whether user-level information is backed up in accordance with local recovery time and recovery point objectives. If user-level information is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.WINGE-000028<GroupDescription></GroupDescription>WN12-GE-000023Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools..</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001233Install a DoD approved HBSS software and ensure it is operating continuously.Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. - -If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding.WINGE-000029<GroupDescription></GroupDescription>WN12-GE-000024The system must support automated patch management tools to facilitate flaw remediation.<VulnDiscussion>The organization (including any contractor to the organization) must promptly install security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Establish a process to automatically install security-related software updates.Verify the organization has an automated process to install security-related software updates. If it does not, this is a finding.WINGE-000030<GroupDescription></GroupDescription>WN12-GE-000025The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.<VulnDiscussion>Failure to verify a certificate's revocation status can result in the system accepting a revoked, and therefore unauthorized, certificate. This could result in the installation of unauthorized software or a connection for rogue networks, depending on the use for which the certificate is intended. Querying for certificate revocation mitigates the risk that the system will accept an unauthorized certificate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Install software that provides certificate validation and revocation checking.Verify the system has software installed and running that provides certificate validation and revocation checking. If it does not, this is a finding.WINSO-000021<GroupDescription></GroupDescription>WN12-SO-000021The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-23043-3CCI-000057Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive logon: Machine inactivity limit" to "900" seconds" or less, excluding "0" which is effectively disabled.If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: InactivityTimeoutSecs - -Value Type: REG_DWORD -Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)WINUC-000005<GroupDescription></GroupDescription>WN12-UC-000005Notifications from Windows Push Network Service must be turned off.<VulnDiscussion>The Windows Push Notification Service (WNS) allows third-party vendors to send updates for toasts, tiles, and badges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25048-0CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Notifications -> "Turn off notifications network usage" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ - -Value Name: NoCloudApplicationNotification - -Type: REG_DWORD -Value: 1WINUC-000006<GroupDescription></GroupDescription>WN12-UC-000006Toast notifications to the lock screen must be turned off.<VulnDiscussion>Toast notifications that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-25414-4CCI-000381Configure the policy value for User Configuration -> Administrative Templates -> Start Menu and Taskbar -> Notifications -> "Turn off toast notifications on the lock screen" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\ - -Value Name: NoToastApplicationNotificationOnLockScreen - -Type: REG_DWORD -Value: 1WN00-000016<GroupDescription></GroupDescription>WN12-00-000016Backups of system-level information must be protected.<VulnDiscussion>A system backup will usually include sensitive information such as user accounts that could be used in an attack. As a valuable system resource, the system backup must be protected and stored in a physically secure location.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>CODB-2</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Ensure system-level information backups are stored in a secure location and protected from destruction.Determine if system-level information backups are protected from destruction and stored in a physically secure location. If they are not, this is a finding.WN00-000017<GroupDescription></GroupDescription>WN12-00-000017System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.<VulnDiscussion>Operating system backup is a critical step in maintaining data assurance and availability. - -Information system and security-related documentation contains information pertaining to system configuration and security settings. - -Backups shall be consistent with organizational recovery time and recovery point objectives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Back up system-related documentation in accordance with local recovery time and recovery point objectives.Determine whether system-related documentation is backed up in accordance with local recovery time and recovery point objectives. If system-related documentation is not backed up in accordance with local recovery time and recovery point objectives, this is a finding.WNGE-000007<GroupDescription></GroupDescription>WN12-GE-000007Permissions for program file directories must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. - -The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002165Maintain the default permissions for the program file directories and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). - -Default Permissions: -\Program Files and \Program Files (x86) -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and filesThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. - -Verify the default permissions for the program file directories (Program Files and Program Files (x86)). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) - -Viewing in File Explorer: -For each folder, view the Properties. -Select the "Security" tab, and the "Advanced" button. - -Default Permissions: -\Program Files and \Program Files (x86) -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files - -Alternately, use Icacls: - -Open a Command prompt (admin). -Enter icacls followed by the directory: - -icacls "c:\program files" -icacls "c:\program files (x86)" - -The following results should be displayed as each is entered: - -c:\program files -NT SERVICE\TrustedInstaller:(F) -NT SERVICE\TrustedInstaller:(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(M) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -BUILTIN\Users:(RX) -BUILTIN\Users:(OI)(CI)(IO)(GR,GE) -CREATOR OWNER:(OI)(CI)(IO)(F) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -Successfully processed 1 files; Failed processing 0 filesWNGE-000006<GroupDescription></GroupDescription>WN12-GE-000006Permissions for system drive root directory (usually C:\) must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. - -The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002165Maintain the default permissions for the system drive's root directory and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). - -Default Permissions -C:\ -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -SYSTEM - Full control - This folder, subfolders and files -Administrators - Full control - This folder, subfolders and files -Users - Read & execute - This folder, subfolders and files -Users - Create folders / append data - This folder and subfolders -Users - Create files / write data - Subfolders only -CREATOR OWNER - Full Control - Subfolders and files onlyThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. - -Verify the default permissions for the system drive's root directory (usually C:\). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) - -Viewing in File Explorer: -View the Properties of system drive root directory. -Select the "Security" tab, and the "Advanced" button. - -C:\ -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -SYSTEM - Full control - This folder, subfolders and files -Administrators - Full control - This folder, subfolders and files -Users - Read & execute - This folder, subfolders and files -Users - Create folders / append data - This folder and subfolders -Users - Create files / write data - Subfolders only -CREATOR OWNER - Full Control - Subfolders and files only - -Alternately, use Icacls: - -Open a Command prompt (admin). -Enter icacls followed by the directory: - -icacls c:\ - -The following results should be displayed: - -c:\ -NT AUTHORITY\SYSTEM:(OI)(CI)(F) -BUILTIN\Administrators:(OI)(CI)(F) -BUILTIN\Users:(OI)(CI)(RX) -BUILTIN\Users:(CI)(AD) -BUILTIN\Users:(CI)(IO)(WD) -CREATOR OWNER:(OI)(CI)(IO)(F) -Successfully processed 1 files; Failed processing 0 filesWNGE-000008<GroupDescription></GroupDescription>WN12-GE-000008Permissions for Windows installation directory must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. - -The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001499CCI-002165Maintain the default file ACLs and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377). - -Default Permissions: -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and filesThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. - -Verify the default permissions for the Windows installation directory (usually C:\Windows). Nonprivileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) - -Viewing in File Explorer: -View the Properties of the folder. -Select the "Security" tab, and the "Advanced" button. - -Default Permissions: -\Windows -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files - -Alternately, use Icacls: - -Open a Command prompt (admin). -Enter icacls followed by the directory: - -icacls c:\windows - -The following results should be displayed: - -c:\windows -NT SERVICE\TrustedInstaller:(F) -NT SERVICE\TrustedInstaller:(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(M) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -BUILTIN\Users:(RX) -BUILTIN\Users:(OI)(CI)(IO)(GR,GE) -CREATOR OWNER:(OI)(CI)(IO)(F) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -Successfully processed 1 files; Failed processing 0 filesWN00-000009-02<GroupDescription></GroupDescription>WN12-00-000009-02Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.<VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECLP-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.If no accounts are members of the Backup Operators group, this is NA. - -Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.WNAU-000060<GroupDescription></GroupDescription>WN12-AU-000060The system must be configured to audit Object Access - Central Access Policy Staging failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Central Access Policy Staging auditing under Object Access is used to enable the recording of events related to differences in permissions between central access policies and proposed policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-2, ECAR-3</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> "Audit Central Access Policy Staging" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Object Access -> Central Policy Staging - FailureWNAU-000059<GroupDescription></GroupDescription>WN12-AU-000059The system must be configured to audit Object Access - Central Access Policy Staging successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Central Access Policy Staging auditing under Object Access is used to enable the recording of events related to differences in permissions between central access policies and proposed policies.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECAR-2, ECAR-3</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Object Access -> "Audit Central Access Policy Staging" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Object Access -> Central Policy Staging - SuccessWNCC-000136<GroupDescription></GroupDescription>WN12-CC-000136Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).<VulnDiscussion>Allowing the redirection of only the default client printer to a Remote Desktop session helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24504-3CCI-000366Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Printer Redirection -> "Redirect only the default client printer" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \Software\Policies\Microsoft\Windows NT\Terminal Services\ - -Value Name: RedirectOnlyDefaultClientPrinter - -Type: REG_DWORD -Value: 1WNSV-000106<GroupDescription></GroupDescription>WN12-SV-000106The Smart Card Removal Policy service must be configured to automatic.<VulnDiscussion>The automatic start of the Smart Card Removal Policy service is required to support the smart card removal behavior requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCE-24365-9CCI-000366Configure the Startup Type for the Smart Card Removal Policy service to "Automatic".Verify the Smart Card Removal Policy service is configured to "Automatic". - -Run "Services.msc". - -If the Startup Type for Smart Card Removal Policy is not set to Automatic, this is a finding.WINPK-000004<GroupDescription></GroupDescription>WN12-PK-000004The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000185CCI-002470Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. - -Issued To - Issued By - Thumbprint -DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E - -The certificates can be installed using the InstallRoot tool. The tool and user guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx.Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. - -Run "PowerShell" as an administrator. - -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter - -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. - -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -NotAfter: 9/27/2019 - -Alternately use the Certificates MMC snap-in: - -Run "MMC". - -Select "File", "Add/Remove Snap-in". - -Select "Certificates", click "Add". - -Select "Computer account", click "Next". - -Select "Local computer: (the computer this console is running on)", click "Finish". - -Click "OK". - -Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". - -For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": - -Right-click on the certificate and select "Open". - -Select the "Details" Tab. - -Scroll to the bottom and select "Thumbprint". - -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. - -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -Issued To: DoD Root CA 3 -Issuer by: US DoD CCEB Interoperability Root CA 2 -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -Valid: Friday, September 27, 2019WINFW-000001<GroupDescription></GroupDescription>WN12-FW-000001A host-based firewall must be installed and enabled on the system.<VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls>ECSC-1</IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Install and enable a host-based firewall on the system.Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. - -The configuration requirements will be determined by the applicable firewall STIG.WINCC-000138<GroupDescription></GroupDescription>WN12-CC-000138The display of slide shows on the lock screen must be disabled (Windows 2012 R2).<VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Configure the policy value for Computer Configuration -> Administrative Templates -> Control Panel -> Personalization -> "Prevent enabling lock screen slide show" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ - -Value Name: NoLockScreenSlideshow - -Value Type: REG_DWORD -Value: 1WINCC-000139<GroupDescription></GroupDescription>WN12-CC-000139Windows 2012 R2 must include command line data in process creation events.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ - -Value Name: ProcessCreationIncludeCmdLine_Enabled - -Value Type: REG_DWORD -Value: 0x00000001 (1)WINCC-000140<GroupDescription></GroupDescription>WN12-CC-000140The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).<VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing into Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Logon -> "Do not display network selection UI" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ - -Value Name: DontDisplayNetworkSelectionUI - -Value Type: REG_DWORD -Value: 1WINCC-000141<GroupDescription></GroupDescription>WN12-CC-000141The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).<VulnDiscussion>Control of credentials and the system must be maintained within the enterprise. Enabling this setting allows enterprise credentials to be used with modern style apps that support this, instead of Microsoft accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> App Runtime -> "Allow Microsoft accounts to be optional" to "Enabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - -Value Name: MSAOptional - -Value Type: REG_DWORD -Value: 1WINCC-000145<GroupDescription></GroupDescription>WN12-CC-000145Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).<VulnDiscussion>Windows 2012 R2 can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Logon Options -> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".This requirement is NA for the initial release of Windows 2012. It is applicable to Windows 2012 R2. - -Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: DisableAutomaticRestartSignOn - -Value Type: REG_DWORD -Value: 1WINAU-000089<GroupDescription></GroupDescription>WN12-AU-000089The system must be configured to audit Policy Change - Authorization Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authorization Policy Change records events related to changes in user rights, such as Create a token object.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Policy Change -> "Audit Authorization Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: --Open a Command Prompt with elevated privileges ("Run as Administrator"). --Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Policy Change -> Authorization Policy Change - SuccessWIN00-000018<GroupDescription></GroupDescription>WN12-00-000018The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. - -The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001774Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - -Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server 2012. - -If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. - -Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: - -https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmThis is applicable to unclassified systems; for other systems this is NA. - -Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - -If an application whitelisting program is not in use on the system, this is a finding. - -Configuration of whitelisting applications will vary by the program. - -AppLocker is a whitelisting application built into Windows Server 2012. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. - -If AppLocker is used, perform the following to view the configuration of AppLocker: -Open PowerShell. - -If the AppLocker PowerShell module has not been previously imported, execute the following first: -Import-Module AppLocker - -Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: -Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml - -This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. - -Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: - -https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmWINSO-000092<GroupDescription></GroupDescription>WN12-SO-000092Users must be required to enter a password to access private keys stored on the computer.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. - -The cornerstone of the PKI is the private key used to encrypt or digitally sign information. - -If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. - -Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000186Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key".If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ - -Value Name: ForceKeyProtection - -Type: REG_DWORD -Value: 2WIN00-000019<GroupDescription></GroupDescription>WN12-00-000019Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. - -Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption. - -Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPSEC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-002420CCI-002422Configure protection methods such as TLS, encrypted VPNs, or IPSEC when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process to maintain the confidentiality and integrity.If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPSEC have been implemented. If protection methods have not been implemented, this is a finding.WIN00-000020<GroupDescription></GroupDescription>WN12-00-000020Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.<VulnDiscussion>This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001199CCI-002475CCI-002476Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If it does not, this is a finding.WINGE-000056<GroupDescription></GroupDescription>WN12-GE-000056Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.<VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. - -Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. - -If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. - -To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000016Configure temporary user accounts to automatically expire within 72 hours. - -Domain account can be configured with an account expiration date, under "Account" properties. - -Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. - -Delete any temporary user accounts that are no longer necessary.Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. - -Review temporary user accounts for expiration dates. - -Open "PowerShell". - -Domain Controllers: - -Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" -This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) - -If any accounts identified as temporary are not listed, this is a finding. - -For any temporary accounts returned by the previous query: -Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. - -If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. - -Member servers and standalone systems: - -Enter "Net User [username]", where [username] is the name of the temporary user account. - -If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. - -If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)WINGE-000057<GroupDescription></GroupDescription>WN12-GE-000057Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency administrator accounts are privileged accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - -Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. - -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001682Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. - -Domain accounts can be configured with an account expiration date, under "Account" properties. - -Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the emergency administrator account.Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. - -If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. - -If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. - -Domain Controllers: - -Enter "Search-ADAccount -AccountExpiring -TimeSpan 3:00:00:00 | FT Name, AccountExpirationDate" -This will return any accounts configured to expire within the next 3 days. (The "TimeSpan" value to can be changed to find accounts configured to expire at various times such as 30 for the next month.) - -If any accounts identified as emergency administrator accounts are not listed, this is a finding. - -For any emergency administrator accounts returned by the previous query: -Enter "Get-ADUser -Identity [Name] -Property WhenCreated" to determine when the account was created. - -If the "WhenCreated" date and "AccountExpirationDate" from the previous query are greater than 3 days apart, this is a finding. - -Member servers and standalone systems: - -Enter "Net User [username]", where [username] is the name of the emergency administrator accounts. - -If "Account expires" has not been defined within 72 hours for any emergency administrator accounts, this is a finding. - -If the "Password last set" date and "Account expires" date are greater than 72 hours apart, this is a finding. (Net User does not provide an account creation date.)WINAU-000203<GroupDescription></GroupDescription>WN12-AU-000203-02The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001851Configure the operating system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.Verify the operating system, at a minimum, off-loads audit records of interconnected systems in real time and off-loads standalone systems weekly. If it does not, this is a finding.WINAU-000213<GroupDescription></GroupDescription>WN12-AU-000213Event Viewer must be protected from unauthorized modification and deletion.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-001494CCI-001495Ensure only TrustedInstaller has permissions to change or modify Event Viewer ("%SystemRoot%\SYSTEM32\Eventvwr.exe). - -The default permissions below satisfy this requirement. -TrustedInstaller - Full Control -Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & ExecuteVerify the permissions on Event Viewer only allow TrustedInstaller permissions to change or modify. If any groups or accounts other than TrustedInstaller have Full control or Modify, this is a finding. - -Navigate to "%SystemRoot%\SYSTEM32". -View the permissions on "Eventvwr.exe". - -The default permissions below satisfy this requirement. -TrustedInstaller - Full Control -Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES - Read & ExecuteWINCC-000150<GroupDescription></GroupDescription>WN12-CC-000150WDigest Authentication must be disabled.<VulnDiscussion>When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. This setting will prevent WDigest from storing credentials in memory.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". - -Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2. - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ - -Value Name: UseLogonCredential - -Type: REG_DWORD -Value: 0x00000000 (0) - -Note: Microsoft Security Advisory update 2871997 is required for this setting to be effective on Windows 2012. It is not required for Windows 2012 R2.WIN00-000170<GroupDescription></GroupDescription>WN12-00-000170The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. - -Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". - -The system must be restarted for the change to take effect. - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. - -Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ - -Value Name: SMB1 - -Type: REG_DWORD -Value: 0x00000000 (0)WIN00-000180<GroupDescription></GroupDescription>WN12-00-000180The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. - -Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". - -Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client (extra setting needed for pre-Win8.1/2012R2)" to "Enabled" with the following three lines of text entered for "Configure LanmanWorkstation Dependencies": -Bowser -MRxSmb20 -NSI - -The system must be restarted for the changes to take effect. - -These policy settings requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.This requirement specifically applies to Windows 2012 but can also be used for Windows 2012 R2. - -Different methods are available to disable SMBv1 on Windows 2012 R2, if V-73805 is configured on Windows 2012 R2, this is NA. - -If the following registry value is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ - -Value Name: Start - -Type: REG_DWORD -Value: 0x00000004 (4) - -If the following registry value includes MRxSmb10, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\ - -Value Name: DependOnService - -Type: REG_MULTI_SZ -Value: Default values after removing MRxSmb10 include the following, which are not a finding: -Bowser -MRxSmb20 -NSIWIN00-000160<GroupDescription></GroupDescription>WN12-00-000160The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant. - -Disabling SMBv1 support may prevent access to file or print sharing resources with systems or devices that only support SMBv1. File shares and print services hosted on Windows Server 2003 are an example, however Windows Server 2003 is no longer a supported operating system. Some older network attached devices may only support SMBv1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381Run "Windows PowerShell" with elevated privileges (run as administrator). -Enter the following: -Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol - -Alternately: -Search for "Features". -Select "Turn Windows features on or off". -De-select "SMB 1.0/CIFS File Sharing Support". - -The system must be restarted for the changes to take effect.This requirement applies to Windows 2012 R2, it is NA for Windows 2012 (see V-73519 and V-73523 for 2012 requirements). - -Different methods are available to disable SMBv1 on Windows 2012 R2. This is the preferred method, however if V-73519 and V-73523 are configured, this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). -Enter the following: -Get-WindowsOptionalFeature -Online | Where FeatureName -eq SMB1Protocol - -If "State : Enabled" is returned, this is a finding. - -Alternately: -Search for "Features". -Select "Turn Windows features on or off". - -If "SMB 1.0/CIFS File Sharing Support" is selected, this is a finding.WIN00-000190<GroupDescription></GroupDescription>WN12-00-000190Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.<VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.Review the effective User Rights setting in Local Group Policy Editor. -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) - -If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding.WINAU-000501<GroupDescription></GroupDescription>WN12-AU-000030Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Account Lockout events can be used to identify potentially malicious logon attempts. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. - -If the system does not audit the following, this is a finding. - -Logon/Logoff >> Account Lockout - SuccessWINAU-000502<GroupDescription></GroupDescription>WN12-AU-000031Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Account Lockout events can be used to identify potentially malicious logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. - -Logon/Logoff >> Account Lockout - FailureWINAU-000907<GroupDescription></GroupDescription>WN12-AU-000105Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*" - -Compare the AuditPol settings with the following. - -If the system does not audit the following, this is a finding. - -System >> Other System Events - SuccessWINAU-000908<GroupDescription></GroupDescription>WN12-AU-000106Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (V-14230) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. - -If the system does not audit the following, this is a finding. - -System >> Other System Events - FailureWIN00-000200<GroupDescription></GroupDescription>WN12-00-000200Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.<VulnDiscussion>Later versions of Windows PowerShell provide additional security and advanced logging features that can provide greater detail when malware has been run on a system. PowerShell 5.x includes the advanced logging features. PowerShell 4.0 with the addition of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 adds advanced logging features. - -PowerShell is updated with the installation of the corresponding version of the Windows Management Framework (WMF). - -Updating to a later PowerShell version may have compatibility issues with some applications. The following links should be reviewed and updates tested before applying to a production environment. - -WMF 4.0: -Review the System Requirements under the download link - https://www.microsoft.com/en-us/download/details.aspx?id=40855 - -WMF 5.0: -https://docs.microsoft.com/en-us/powershell/wmf/5.0/productincompat - -WMF 5.1: -https://docs.microsoft.com/en-us/powershell/wmf/5.1/productincompat</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000366Update Windows PowerShell to version 4.0 or 5.x. - -Windows 2012 R2 includes PowerShell 4.0 by default. It may be updated with the installation of Windows Management Framework (WMF) 5.0 or 5.1. - -Windows 2012 requires the installation of Windows Management Framework (WMF) 4.0, 5.0, or 5.1. - -Updating to a later PowerShell version may have compatibility issues with some applications. The following links should be reviewed and updates tested before applying to a production environment. - -WMF 4.0: -Review the System Requirements under the download link - https://www.microsoft.com/en-us/download/details.aspx?id=40855 - -WMF 5.0: -https://docs.microsoft.com/en-us/powershell/wmf/5.0/productincompat - -WMF 5.1: -https://docs.microsoft.com/en-us/powershell/wmf/5.1/productincompatOpen "Windows PowerShell". - -Enter "$PSVersionTable". - -If the value for "PSVersion" is not 4.0 or 5.x, this is a finding. - -Windows 2012 R2 includes PowerShell 4.0 by default. Windows 2012 must be updated. If PowerShell 4.0 is used, the required patch for script block logging will be verified with the requirement to have that enabled.WIN00-000210<GroupDescription></GroupDescription>WN12-00-000210PowerShell script block logging must be enabled on Windows 2012/2012 R2.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system. - -PowerShell 5.x supports script block logging. PowerShell 4.0 with the addition of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 adds support for script block logging.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000135Configure the following registry value as specified. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ - -Value Name: EnableScriptBlockLogging - -Value Type: REG_DWORD -Value: 0x00000001 (1) - -Administrative templates from later versions of Windows include a group policy setting for this. Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". - -Install patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012 on systems with PowerShell 4.0. - -PowerShell 5.x does not require the installation of an additional patch.If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ - -Value Name: EnableScriptBlockLogging - -Value Type: REG_DWORD -Value: 0x00000001 (1) - -PowerShell 4.0 requires the installation of patch KB3000850 on Windows 2012 R2 or KB3119938 on Windows 2012. - -If the patch is not installed on systems with PowerShell 4.0, this is a finding. - -PowerShell 5.x does not require the installation of an additional patch.WIN00-000220<GroupDescription></GroupDescription>WN12-00-000220Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.<VulnDiscussion>Windows PowerShell versions 4.0 (with a patch) and 5.x add advanced logging features that can provide additional detail when malware has been run on a system. Ensuring Windows PowerShell 2.0 is not installed as well mitigates against a downgrade attack that evades the advanced logging features of later Windows PowerShell versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows 2012DISADPMS TargetWindows 20122350CCI-000381Windows PowerShell 2.0 is not installed by default. - -Uninstall it if it has been installed. - -Open "Windows PowerShell". - -Enter "Uninstall-WindowsFeature -Name PowerShell-v2". - -Alternately: - -Use the "Remove Roles and Features Wizard" and deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell".Windows PowerShell 2.0 is not installed by default. - -Open "Windows PowerShell". - -Enter "Get-WindowsFeature -Name PowerShell-v2". - -If "Installed State" is "Installed", this is a finding. - -An Installed State of "Available" or "Removed" is not a finding. diff --git a/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_V3R1_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_V3R1_Manual-xccdf.log new file mode 100644 index 000000000..5ac198e76 --- /dev/null +++ b/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_V3R1_Manual-xccdf.log @@ -0,0 +1,9 @@ +V-225274::"Store password using reversible encryption"::"Store passwords using reversible encryption" +V-225272::"Minimum password length,"::"Minimum password length" +V-225427::*::HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = $true; Operator = '-eq'; Property = 'PasswordExpires'; Query = "SELECT * FROM Win32_UserAccount WHERE Disabled=$false AND LocalAccount=$true"} +V-225426::*::HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = $true; Operator = '-eq'; Property = 'PasswordRequired'; Query = "SELECT * FROM Win32_UserAccount WHERE Disabled=$false AND LocalAccount=$true"} +V-225374::Value: 0x00000001 (1) ::Value: 1 Or 2 +V-225436::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Certificate Revocation Checking service information'} +V-225416::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Firewall service information'} +V-225263::*::HardCodedRule(AuditSettingRule)@{DscResource = 'AuditSetting'; DesiredValue = '6.3.9600.17415'; Operator = '-ge'; Property = 'Version'; Query = "SELECT * FROM CIM_Datafile WHERE FileName='powershell' AND Path LIKE '%\\Windows\\System32\\WindowsPowerShell\\v1.0\\%' AND Extension='exe'"} +V-225264::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ diff --git a/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_V3R1_Manual-xccdf.xml b/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_V3R1_Manual-xccdf.xml new file mode 100644 index 000000000..bc8237e72 --- /dev/null +++ b/source/StigData/Archive/Windows.Server.2012R2/U_MS_Windows_2012_and_2012_R2_MS_V3R1_Manual-xccdf.xml @@ -0,0 +1,4110 @@ +acceptedMicrosoft Windows Server 2012/2012 R2 Member Server Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 13 Nov 20203.1.1.362251.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Public <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Classified <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Sensitive <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Public <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000010 Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. <VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties. - - - - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + V-73217 + SV-87869 + CCI-000366 + Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties. + + + + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. - - SRG-OS-000324-GPOS-00125 - <GroupDescription></GroupDescription> - - WN16-DC-000010 - Only administrators responsible for the domain controller must have Administrator rights on the system. - <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. - -System administrators must log on to systems using only accounts with the minimum level of authority necessary. - -Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-002235 - Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. - -Remove any standard user accounts. - - - - This applies to domain controllers. A separate version applies to other systems. - -Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. - -Standard user accounts must not be members of the local administrator group. - -If prohibited accounts are members of the local administrators group, this is a finding. - -If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. - - - - + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - + WN16-00-000030 Passwords for the built-in Administrator account must be changed at least every 60 days. <VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000199 - Change the built-in Administrator account password at least every "60" days. + SV-87875 + V-73223 + CCI-000199 + Change the built-in Administrator account password at least every "60" days. Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this. - - - + + + Review the password last set date for the built-in Administrator account. Domain controllers: @@ -2602,10 +2582,10 @@ If the "PasswordLastSet" date is greater than "60" days old, this is a finding.< - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000040 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. <VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. @@ -2616,19 +2596,21 @@ The policy should define specific exceptions for local service administration. T Whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. + SV-87877 + V-73225 + CCI-000366 + Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. - - - + + + Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. If it does not, this is a finding. @@ -2637,25 +2619,27 @@ The organization may use technical means such as whitelisting to prevent the use - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000050 Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. <VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions. - - - + SV-87879 + V-73227 + CCI-000366 + Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions. + + + If no accounts are members of the Backup Operators group, this is NA. Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. @@ -2664,25 +2648,27 @@ If users with accounts in the Backup Operators group do not have separate accoun - + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - + WN16-00-000060 Manually managed application account passwords must be at least 15 characters in length. <VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000205 - Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced. - - - + V-73229 + SV-87881 + CCI-000205 + Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced. + + + Determine if manually managed application/service accounts exist. If none exist, this is NA. Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. @@ -2691,27 +2677,29 @@ If such a policy does not exist or has not been implemented, this is a finding.< - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000070 Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. <VulnDiscussion>Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. + SV-87883 + V-73231 + CCI-000366 + Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. It is recommended that system-managed service accounts be used whenever possible. - - - + + + Determine if manually managed application/service accounts exist. If none exist, this is NA. If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. @@ -2738,27 +2726,29 @@ If the "Password Last Set" date is more than one year old, this is a finding. - + SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> - + WN16-00-000080 Shared user accounts must not be permitted on the system. <VulnDiscussion>Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000764 - Remove unapproved shared accounts from the system. + SV-87885 + V-73233 + CCI-000764 + Remove unapproved shared accounts from the system. Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. - - - + + + Determine whether any shared accounts exist. If no shared accounts exist, this is NA. Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. @@ -2767,24 +2757,26 @@ If unapproved shared accounts exist, this is a finding. - + SRG-OS-000370-GPOS-00155 <GroupDescription></GroupDescription> - + WN16-00-000090 Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. <VulnDiscussion>Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001774 - Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + SV-87887 + V-73235 + CCI-001774 + Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server. @@ -2793,9 +2785,9 @@ If AppLocker is used, it is configured through group policy in Computer Configur Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - - - + + + This is applicable to unclassified systems. For other systems, this is NA. Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. @@ -2826,29 +2818,31 @@ https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000100 Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. <VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) + SV-87889 + V-73237 + CCI-000366 + Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) The TPM must be enabled in the firmware. Run "tpm.msc" for configuration options in Windows. - - - + + + For standalone systems, this is NA. Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. @@ -2867,25 +2861,27 @@ If a TPM is not found or is not ready for use, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000110 Systems must be maintained at a supported servicing level. <VulnDiscussion>Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a servicing level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Update the system to a Version 1607 (Build 14393.xxx) or greater. - - - + SV-87891 + V-73239 + CCI-000366 + Update the system to a Version 1607 (Build 14393.xxx) or greater. + + + Open "Command Prompt". Enter "winver.exe". @@ -2896,53 +2892,83 @@ Preview versions must not be used in a production environment. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000120 The Windows Server 2016 system must use an anti-virus program. <VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Install an anti-virus solution on the system. - - - + SV-87893 + V-73241 + CCI-000366 + If no anti-virus software is in use, install Windows Defender or third-party anti-virus. + +Open "PowerShell". + +Enter "Install-WindowsFeature -Name Windows-Defender” + +For third-party anti-virus, install per anti-virus instructions and disable Windows Defender. + +Open "PowerShell". + +Enter “Uninstall-WindowsFeature -Name Windows-Defender”. + + + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. -If there is no anti-virus solution installed on the system, this is a finding. +If there is no anti-virus solution installed on the system, this is a finding. + +Verify if Windows Defender is in use or enabled: + +Open "PowerShell". + +Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName” + +Verify if third-party anti-virus is in use or enabled: + +Open "PowerShell". + +Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName” + +Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName” + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000140 Servers must have a host-based intrusion detection or prevention system. <VulnDiscussion>A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Install a HIDS or HIPS on each server. - - - - Determine whether there is a HIDS or HIPS on each server. + SV-87897 + V-73245 + CCI-000366 + Install a HIDS or HIPS on each server. + + + + Determine whether there is a HIDS or HIPS on each server. -If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. @@ -2950,25 +2976,27 @@ If a HIDS is not installed on the system, this is a finding. - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN16-00-000150 Local volumes must use a format that supports NTFS attributes. <VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using a file system that supports NTFS attributes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Format volumes to use NTFS or ReFS. - - - + SV-87899 + V-73247 + CCI-000213 + Format volumes to use NTFS or ReFS. + + + Open "Computer Management". Select "Disk Management" under "Storage". @@ -2981,10 +3009,10 @@ This does not apply to system partitions such the Recovery and EFI System Partit - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - + WN16-00-000160 Permissions for the system drive root directory (usually C:\) must conform to minimum requirements. <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. @@ -2993,14 +3021,16 @@ The default permissions are adequate when the Security Option "Network access: L Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002165 - Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). + SV-87901 + V-73249 + CCI-002165 + Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default Permissions C:\ @@ -3015,9 +3045,9 @@ Users - Read & execute - This folder, subfolders, and files Users - Create folders/append data - This folder and subfolders Users - Create files/write data - Subfolders only CREATOR OWNER - Full Control - Subfolders and files only - - - + + + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) @@ -3065,10 +3095,10 @@ Successfully processed 1 files; Failed processing 0 files - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - + WN16-00-000170 Permissions for program file directories must conform to minimum requirements. <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. @@ -3077,14 +3107,16 @@ The default permissions are adequate when the Security Option "Network access: L Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002165 - Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). + V-73251 + SV-87903 + CCI-002165 + Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default permissions: \Program Files and \Program Files (x86) @@ -3102,9 +3134,9 @@ Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files - - - + + + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the program file directories (Program Files and Program Files [x86]). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.) @@ -3163,10 +3195,10 @@ Successfully processed 1 files; Failed processing 0 files - + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - + WN16-00-000180 Permissions for the Windows installation directory must conform to minimum requirements. <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. @@ -3175,14 +3207,16 @@ The default permissions are adequate when the Security Option "Network access: L Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002165 - Maintain the default file ACLs and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). + V-73253 + SV-87905 + CCI-002165 + Maintain the default file ACLs and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). Default permissions: Type - "Allow" for all @@ -3199,9 +3233,9 @@ Users - Read & execute - This folder, subfolders, and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files - - - + + + The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.) @@ -3259,22 +3293,24 @@ Successfully processed 1 files; Failed processing 0 files - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-00-000190 Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. <VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. + SV-87907 + V-73255 + CCI-002235 + Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. The default permissions of the higher-level keys are noted below. @@ -3307,9 +3343,9 @@ Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only ALL APPLICATION PACKAGES - Read - This key and subkeys - - - + + + Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. @@ -3358,36 +3394,38 @@ If the defaults have not been changed, these are not a finding. - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN16-00-000200 Non-administrative accounts or groups must only have print permissions on printer shares. <VulnDiscussion>Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the permissions on shared printers to restrict standard users to only have Print permissions. - - - + V-73257 + SV-87909 + CCI-000213 + Configure the permissions on shared printers to restrict standard users to only have Print permissions. + + + Open "Devices and Printers". If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each printer: -Right-click on the printer. +Right-click on the printer. -Select "Printer Properties". +Select "Printer Properties". -Select the "Sharing" tab. +Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. @@ -3399,28 +3437,30 @@ The default is for the "Everyone" group to be given "Print" permission. - + SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> - + WN16-00-000210 Outdated or unused accounts must be removed from the system or disabled. <VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000118-GPOS-00060</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000764 - CCI-000795 - Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days. - - - + V-73259 + SV-87911 + CCI-000764 + CCI-000795 + Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days. + + + Open "Windows PowerShell". Domain Controllers: @@ -3440,7 +3480,7 @@ Copy or enter the lines below to the PowerShell window and enter. (Entering twic if ($lastLogin -eq $null) { $lastLogin = 'Never' } - Write-Host $user.Name $lastLogin $enabled + Write-Host $user.Name $lastLogin $enabled }" This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). @@ -3452,6 +3492,7 @@ Exclude the following accounts: - Built-in administrator account (Renamed, SID ending in 500) - Built-in guest account (Renamed, Disabled, SID ending in 501) +- Built-in default account (Renamed, Disabled, SID ending in 503) - Application accounts If any enabled accounts have not been logged on to within the past 35 days, this is a finding. @@ -3460,27 +3501,29 @@ Inactive accounts that have been reviewed and deemed to be required must be docu - + SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> - + WN16-00-000220 Windows Server 2016 accounts must require passwords. <VulnDiscussion>The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000764 - Configure all enabled accounts to require passwords. + SV-87913 + V-73261 + CCI-000764 + Configure all enabled accounts to require passwords. The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account. - - - + + + Review the password required status for enabled user accounts. Open "PowerShell". @@ -3503,27 +3546,29 @@ If any enabled user accounts are returned with a "PasswordRequired" status of "F - + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - + WN16-00-000230 Passwords must be configured to expire. <VulnDiscussion>Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000199 - Configure all enabled user account passwords to expire. + V-73263 + SV-87915 + CCI-000199 + Configure all enabled user account passwords to expire. Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO. - - - + + + Review the password never expires status for enabled user accounts. Open "PowerShell". @@ -3546,54 +3591,60 @@ If any enabled user accounts are returned with a "PasswordExpires" status of "Fa - + SRG-OS-000363-GPOS-00150 <GroupDescription></GroupDescription> - + WN16-00-000240 System files must be monitored for unauthorized changes. <VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001744 - Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools. - - - + SV-87917 + V-73265 + CCI-001744 + Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools. + + + Determine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. +A properly configured and approved DoD HBSS solution that supports a File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. + If system files are not monitored for unauthorized changes, this is a finding. A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement. - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + WN16-00-000250 Non-system-created file shares on a system must limit access to groups that require it. <VulnDiscussion>Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001090 - If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. + SV-87919 + V-73267 + CCI-001090 + If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system-created shares. - - - + + + If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) Run "Computer Management". @@ -3614,27 +3665,29 @@ If the permissions have not been configured to restrict permissions to the speci - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000270 Software certificate installation files must be removed from Windows Server 2016. <VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Remove any certificate installation files (*.p12 and *.pfx) found on a system. + SV-87923 + V-73271 + CCI-000366 + Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. - - - + + + Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. @@ -3643,10 +3696,10 @@ This does not apply to server-based applications that have a requirement for .p1 - + SRG-OS-000185-GPOS-00079 <GroupDescription></GroupDescription> - + WN16-00-000280 Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. <VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. @@ -3655,29 +3708,31 @@ Selection of a cryptographic mechanism is based on the need to protect the integ Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001199 - CCI-002475 - CCI-002476 - Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. - - - + SV-87925 + V-73273 + CCI-001199 + CCI-002475 + CCI-002476 + Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. + + + Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. If they do not, this is a finding. - + SRG-OS-000425-GPOS-00189 <GroupDescription></GroupDescription> - + WN16-00-000290 Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. <VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. @@ -3688,43 +3743,47 @@ Use of this requirement will be limited to situations where the data owner has a Satisfies: SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002420 - CCI-002422 - Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. - - - + SV-87927 + V-73275 + CCI-002422 + CCI-002420 + Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. + + + If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. If protection methods have not been implemented, this is a finding. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000300 The roles and features required by the system must be documented. <VulnDiscussion>Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Document the roles and features required for the system to operate. Uninstall any that are not required. - - - + V-73277 + SV-87929 + CCI-000381 + Document the roles and features required for the system to operate. Uninstall any that are not required. + + + Required roles and features will vary based on the function of the individual system. Roles and features specifically required to be disabled per the STIG are identified in separate requirements. @@ -3735,26 +3794,28 @@ The PowerShell command "Get-WindowsFeature" will list all roles and features wit - - SRG-OS-000480-GPOS-00231 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000310 A host-based firewall must be installed and enabled on the system. <VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - CCI-002080 - Install and enable a host-based firewall on the system. - - - + V-73279 + SV-87931 + CCI-000366 + CCI-002080 + Install and enable a host-based firewall on the system. + + + Determine if a host-based firewall is installed and enabled on the system. If a host-based firewall is not installed and enabled on the system, this is a finding. @@ -3763,35 +3824,37 @@ The configuration requirements will be determined by the applicable firewall STI - + SRG-OS-000191-GPOS-00080 <GroupDescription></GroupDescription> - + WN16-00-000320 - Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). + Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). <VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001233 - Install a DoD approved HBSS software and ensure it is operating continuously. - - - + SV-87933 + V-73281 + CCI-001233 + Install a DoD approved HBSS software and ensure it is operating continuously. + + + Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding. - + SRG-OS-000002-GPOS-00002 <GroupDescription></GroupDescription> - + WN16-00-000330 Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. <VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. @@ -3802,23 +3865,25 @@ If temporary accounts are used, the operating system must be configured to autom To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000016 - Configure temporary user accounts to automatically expire within 72 hours. + V-73283 + SV-87935 + CCI-000016 + Configure temporary user accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. Delete any temporary user accounts that are no longer necessary. - - - + + + Review temporary user accounts for expiration dates. Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. @@ -3841,10 +3906,10 @@ If "Account expires" has not been defined within 72 hours for any temporary user - + SRG-OS-000123-GPOS-00064 <GroupDescription></GroupDescription> - + WN16-00-000340 Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. <VulnDiscussion>Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. @@ -3853,21 +3918,23 @@ Emergency administrator accounts are different from infrequently used accounts ( To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001682 - Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. + V-73285 + SV-87937 + CCI-001682 + Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. Domain accounts can be configured with an account expiration date, under "Account" properties. Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. - - - + + + Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. @@ -3878,7 +3945,7 @@ Domain Controllers: Open "PowerShell". -Enter "Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate". +Enter "Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate". If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. @@ -3892,22 +3959,24 @@ If "Account expires" has been defined and is not within 72 hours for an emergenc - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000350 The Fax Server role must not be installed. <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Uninstall the "Fax Server" role. + V-73287 + SV-87939 + CCI-000381 + Uninstall the "Fax Server" role. Start "Server Manager". @@ -3922,9 +3991,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Fax Server" on the "Roles" page. Click "Next" and "Remove" as prompted. - - - + + + Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Fax". @@ -3935,22 +4004,24 @@ An Installed State of "Available" or "Removed" is not a finding. - + SRG-OS-000096-GPOS-00050 <GroupDescription></GroupDescription> - + WN16-00-000360 The Microsoft FTP service must not be installed unless required. <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000382 - Uninstall the "FTP Server" role. + SV-87941 + V-73289 + CCI-000382 + Uninstall the "FTP Server" role. Start "Server Manager". @@ -3965,9 +4036,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. Click "Next" and "Remove" as prompted. - - - + + + If the server has the role of an FTP server, this is NA. Open "PowerShell". @@ -3982,22 +4053,24 @@ If the system has the role of an FTP server, this must be documented with the IS - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000370 The Peer Name Resolution Protocol must not be installed. <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Uninstall the "Peer Name Resolution Protocol" feature. + SV-87943 + V-73291 + CCI-000381 + Uninstall the "Peer Name Resolution Protocol" feature. Start "Server Manager". @@ -4012,9 +4085,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Peer Name Resolution Protocol" on the "Features" page. Click "Next" and "Remove" as prompted. - - - + + + Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq PNRP". @@ -4025,22 +4098,24 @@ An Installed State of "Available" or "Removed" is not a finding. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000380 Simple TCP/IP Services must not be installed. <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Uninstall the "Simple TCP/IP Services" feature. + SV-87945 + V-73293 + CCI-000381 + Uninstall the "Simple TCP/IP Services" feature. Start "Server Manager". @@ -4055,9 +4130,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Simple TCP/IP Services" on the "Features" page. Click "Next" and "Remove" as prompted. - - - + + + Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Simple-TCPIP". @@ -4068,22 +4143,24 @@ An Installed State of "Available" or "Removed" is not a finding. - + SRG-OS-000096-GPOS-00050 <GroupDescription></GroupDescription> - + WN16-00-000390 The Telnet Client must not be installed. <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000382 - Uninstall the "Telnet Client" feature. + SV-87947 + V-73295 + CCI-000382 + Uninstall the "Telnet Client" feature. Start "Server Manager". @@ -4098,9 +4175,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Telnet Client" on the "Features" page. Click "Next" and "Remove" as prompted. - - - + + + Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq Telnet-Client". @@ -4111,22 +4188,24 @@ An Installed State of "Available" or "Removed" is not a finding. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000400 The TFTP Client must not be installed. <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Uninstall the "TFTP Client" feature. + V-73297 + SV-87949 + CCI-000381 + Uninstall the "TFTP Client" feature. Start "Server Manager". @@ -4141,9 +4220,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "TFTP Client" on the "Features" page. Click "Next" and "Remove" as prompted. - - - + + + Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq TFTP-Client". @@ -4154,22 +4233,24 @@ An Installed State of "Available" or "Removed" is not a finding. - + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000410 The Server Message Block (SMB) v1 protocol must be uninstalled. <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Uninstall the SMBv1 protocol. + SV-87951 + V-73299 + CCI-000381 + Uninstall the SMBv1 protocol. Open "Windows PowerShell" with elevated privileges (run as administrator). @@ -4191,9 +4272,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "SMB 1.0/CIFS File Sharing Support" on the "Features" page. Click "Next" and "Remove" as prompted. - - - + + + Different methods are available to disable SMBv1 on Windows 2016. This is the preferred method, however if V-78123 and V-78125 are configured, this is NA. Open "Windows PowerShell" with elevated privileges (run as administrator). @@ -4206,22 +4287,102 @@ An Installed State of "Available" or "Removed" is not a finding. - + + SRG-OS-000095-GPOS-00049 + <GroupDescription></GroupDescription> + + WN16-00-000411 + The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. + <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-78123 + SV-92829 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". + +The system must be restarted for the change to take effect. + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0) + + + + + SRG-OS-000095-GPOS-00049 + <GroupDescription></GroupDescription> + + WN16-00-000412 + The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. + <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-78125 + SV-92831 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". + +The system must be restarted for the changes to take effect. + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. + +If the following registry value is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ + +Value Name: Start + +Type: REG_DWORD +Value: 0x00000004 (4) + + + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - + WN16-00-000420 Windows PowerShell 2.0 must not be installed. <VulnDiscussion>Windows PowerShell 5.0 added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Uninstall the "Windows PowerShell 2.0 Engine". + SV-87953 + V-73301 + CCI-000381 + Uninstall the "Windows PowerShell 2.0 Engine". Start "Server Manager". @@ -4236,9 +4397,9 @@ Select the appropriate server on the "Server Selection" page and click "Next". Deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell" on the "Features" page. Click "Next" and "Remove" as prompted. - - - + + + Open "PowerShell". Enter "Get-WindowsFeature | Where Name -eq PowerShell-v2". @@ -4249,24 +4410,26 @@ An Installed State of "Available" or "Removed" is not a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000430 FTP servers must be configured to prevent anonymous logons. <VulnDiscussion>The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the FTP service to prevent anonymous logons. + V-73303 + SV-87955 + CCI-000366 + Configure the FTP service to prevent anonymous logons. Open "Internet Information Services (IIS) Manager". @@ -4277,9 +4440,9 @@ Double-click "FTP Authentication". Select "Anonymous Authentication". Select "Disabled" under "Actions". - - - + + + If FTP is not installed on the system, this is NA. Open "Internet Information Services (IIS) Manager". @@ -4292,25 +4455,27 @@ If the "Anonymous Authentication" status is "Enabled", this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-00-000440 FTP servers must be configured to prevent access to the system drive. <VulnDiscussion>The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the root directory of the boot drive.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system. - - - + SV-87957 + V-73305 + CCI-000366 + Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system. + + + If FTP is not installed on the system, this is NA. Open "Internet Information Services (IIS) Manager". @@ -4325,31 +4490,33 @@ If the site includes any system areas such as root of the drive, Program Files, - + SRG-OS-000355-GPOS-00143 <GroupDescription></GroupDescription> - + WN16-00-000450 The time service must synchronize with an appropriate DoD time source. <VulnDiscussion>The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001891 - Configure the system to synchronize time with an appropriate DoD time source. + SV-87959 + V-73307 + CCI-001891 + Configure the system to synchronize time with an appropriate DoD time source. Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DoD time server. The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy. - - - + + + Review the Windows time service configuration. Open an elevated "Command Prompt" (run as administrator). @@ -4372,4899 +4539,5686 @@ Enter "Get-ADDomain | FT PDCEmulator". - - SRG-OS-000112-GPOS-00057 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-DC-000020 - Kerberos user logon restrictions must be enforced. - <VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented. - -Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-00-000470 + Secure Boot must be enabled on Windows Server 2016 systems. + <VulnDiscussion>Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows Server 2016, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001941 - CCI-001942 - Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". - - - - This applies to domain controllers. It is NA for other systems. - -Verify the following is configured in the Default Domain Policy. + SV-101005 + V-90355 + CCI-000366 + Enable Secure Boot in the system firmware. + + + + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. -Open "Group Policy Management". - -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - -Right-click on the "Default Domain Policy". - -Select "Edit". - -Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. +Run "System Information". -If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. +Under "System Summary", if "Secure Boot State" does not display "On", this is finding. - - SRG-OS-000112-GPOS-00057 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-DC-000030 - The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. - <VulnDiscussion>This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection. - -Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-00-000480 + Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. + <VulnDiscussion>UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows Server 2016, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in "Legacy BIOS" mode will not support these security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001941 - CCI-001942 - Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for service ticket" to a maximum of "600" minutes, but not "0", which equates to "Ticket doesn't expire". - - - - This applies to domain controllers. It is NA for other systems. - -Verify the following is configured in the Default Domain Policy. - -Open "Group Policy Management". - -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - -Right-click on the "Default Domain Policy". + SV-101007 + V-90357 + CCI-000366 + Configure UEFI firmware to run in "UEFI" mode, not "Legacy BIOS" mode. + + + + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must run in "UEFI" mode. -Select "Edit". +Verify the system firmware is configured to run in "UEFI" mode, not "Legacy BIOS". -Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. +Run "System Information". -If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding. +Under "System Summary", if "BIOS Mode" does not display "UEFI", this is finding. - - SRG-OS-000112-GPOS-00057 + + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - - WN16-DC-000040 - The Kerberos user ticket lifetime must be limited to 10 hours or less. - <VulnDiscussion>In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed. - -Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-AU-000010 + Audit records must be backed up to a different system or media than the system being audited. + <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001941 - CCI-001942 - Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket" to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire". - - - - This applies to domain controllers. It is NA for other systems. - -Verify the following is configured in the Default Domain Policy. - -Open "Group Policy Management". - -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - -Right-click on the "Default Domain Policy". - -Select "Edit". + SV-88053 + V-73401 + CCI-001851 + Establish and implement a process for backing up log data to another system or media other than the system being audited. + + + + Determine if a process to back up log data to a different system or media than the system being audited has been implemented. -Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. +If it has not, this is a finding. + + + + + SRG-OS-000479-GPOS-00224 + <GroupDescription></GroupDescription> + + WN16-AU-000020 + Windows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. + <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73403 + SV-88055 + CCI-001851 + Configure the system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. + + + + Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. -If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding. +If they are not, this is a finding. - - SRG-OS-000112-GPOS-00057 + + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - WN16-DC-000050 - The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. - <VulnDiscussion>This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access. + + WN16-AU-000030 + Permissions for the Application event log must prevent access by non-privileged accounts. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied. -Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001941 - CCI-001942 - Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket renewal" to a maximum of "7" days or less. - - - - This applies to domain controllers. It is NA for other systems. + SV-88057 + V-73405 + CCI-000162 + CCI-000163 + CCI-000164 + Configure the permissions on the Application event log file (Application.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: -Verify the following is configured in the Default Domain Policy. +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control -Open "Group Policy Management". +The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - -Right-click on the "Default Domain Policy". +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". + + + + Navigate to the Application event log file. -Select "Edit". +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. -Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. +If the permissions for the "Application.evtx" file are not as restrictive as the default permissions listed below, this is a finding. -If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding. +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control - - SRG-OS-000112-GPOS-00057 + + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - WN16-DC-000060 - The computer clock synchronization tolerance must be limited to 5 minutes or less. - <VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible. + + WN16-AU-000040 + Permissions for the Security event log must prevent access by non-privileged accounts. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied. -Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001941 - CCI-001942 - Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum tolerance for computer clock synchronization" to a maximum of "5" minutes or less. - - - - This applies to domain controllers. It is NA for other systems. + V-73407 + SV-88059 + CCI-000164 + CCI-000163 + CCI-000162 + Configure the permissions on the Security event log file (Security.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: -Verify the following is configured in the Default Domain Policy. +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control -Open "Group Policy Management". +The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. -Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). - -Right-click on the "Default Domain Policy". +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". + + + + Navigate to the Security event log file. -Select "Edit". +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. -Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. +If the permissions for the "Security.evtx" file are not as restrictive as the default permissions listed below, this is a finding. -If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding. +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - WN16-DC-000070 - Permissions on the Active Directory data files must only allow System and Administrators access. - <VulnDiscussion>Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-AU-000050 + Permissions for the System event log must prevent access by non-privileged accounts. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Maintain the permissions on NTDS database and log files as follows: + SV-88061 + V-73409 + CCI-000162 + CCI-000163 + CCI-000164 + Configure the permissions on the System event log file (System.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: -NT AUTHORITY\SYSTEM:(I)(F) -BUILTIN\Administrators:(I)(F) +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control -(I) - permission inherited from parent container -(F) - full access - - - - This applies to domain controllers. It is NA for other systems. +The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. -Run "Regedit". +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". + + + + Navigate to the System event log file. -Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. -Note the directory locations in the values for: +If the permissions for the "System.evtx" file are not as restrictive as the default permissions listed below, this is a finding. -Database log files path -DSA Database file +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + + + + + SRG-OS-000257-GPOS-00098 + <GroupDescription></GroupDescription> + + WN16-AU-000060 + Event Viewer must be protected from unauthorized modification and deletion. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. -By default, they will be \Windows\NTDS. +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools. -If the locations are different, the following will need to be run for each. +Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73411 + SV-88063 + CCI-001494 + CCI-001495 + Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement: -Open "Command Prompt (Admin)". +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute -Navigate to the NTDS directory (\Windows\NTDS by default). +The default location is the "%SystemRoot%\ System32" folder. + + + + Navigate to "%SystemRoot%\System32". -Run "icacls *.*". +View the permissions on "Eventvwr.exe". -If the permissions on each file are not as restrictive as the following, this is a finding. +If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding. -NT AUTHORITY\SYSTEM:(I)(F) -BUILTIN\Administrators:(I)(F) +The default permissions below satisfy this requirement: -(I) - permission inherited from parent container -(F) - full access +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN16-DC-000080 - The Active Directory SYSVOL directory must have the proper access control permissions. - <VulnDiscussion>Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. + + WN16-AU-000070 + Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Data in shared subdirectories are replicated to all domain controllers in a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement. - -C:\Windows\SYSVOL -Type - "Allow" for all -Inherited from - "None" for all - -Principal - Access - Applies to - -Authenticated Users - Read & execute - This folder, subfolder, and files -Server Operators - Read & execute- This folder, subfolder, and files -Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) -CREATOR OWNER - Full control - Subfolders and files only -Administrators - Full control - Subfolders and files only -SYSTEM - Full control - This folder, subfolders, and files - - - - This applies to domain controllers. It is NA for other systems. - -Open a command prompt. - -Run "net share". - -Make note of the directory location of the SYSVOL share. - -By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. - -If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. - -The default permissions noted below meet this requirement. - -Open "Command Prompt". + V-73413 + SV-88065 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Run "icacls c:\Windows\SYSVOL". +Use the AuditPol tool to review the current Audit Policy configuration: -The following results should be displayed: +Open an elevated "Command Prompt" (run as administrator). -NT AUTHORITY\Authenticated Users:(RX) -NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) -BUILTIN\Server Operators:(RX) -BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) -BUILTIN\Administrators:(M,WDAC,WO) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(F) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M,WDAC,WO) -CREATOR OWNER:(OI)(CI)(IO)(F) +Enter "AuditPol /get /category:*". -(RX) - Read & execute +Compare the AuditPol settings with the following. -Run "icacls /help" to view definitions of other permission codes. +If the system does not audit the following, this is a finding. -Alternately, open "File Explorer". +Account Logon >> Credential Validation - Success + + + + + SRG-OS-000470-GPOS-00214 + <GroupDescription></GroupDescription> + + WN16-AU-000080 + Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Navigate to \Windows\SYSVOL (or the directory noted previously if different). +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88067 + V-73415 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Right-click the directory and select properties. +Use the AuditPol tool to review the current Audit Policy configuration: -Select the "Security" tab and click "Advanced". +Open an elevated "Command Prompt" (run as administrator). -Default permissions: +Enter "AuditPol /get /category:*". -C:\Windows\SYSVOL -Type - "Allow" for all -Inherited from - "None" for all +Compare the AuditPol settings with the following. -Principal - Access - Applies to +If the system does not audit the following, this is a finding. -Authenticated Users - Read & execute - This folder, subfolder, and files -Server Operators - Read & execute- This folder, subfolder, and files -Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) -CREATOR OWNER - Full control - Subfolders and files only -Administrators - Full control - Subfolders and files only -SYSTEM - Full control - This folder, subfolders, and files +Account Logon >> Credential Validation - Failure - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-DC-000090 - Active Directory Group Policy objects must have proper access control permissions. - <VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. + + WN16-AU-000100 + Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -For Active Directory (AD), the Group Policy objects require special attention. In a distributed administration model (i.e., help desk), Group Policy objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Maintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. - -Authenticated Users - Read, Apply group policy, Special permissions + SV-88071 + V-73419 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Other Account Management Events" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -The special permissions for Authenticated Users are for Read-type Properties. +Use the AuditPol tool to review the current Audit Policy configuration: -CREATOR OWNER - Special permissions -SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions -Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions -Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions -ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions +Open an elevated "Command Prompt" (run as administrator). -Document any other access permissions that allow the objects to be updated with the ISSO. +Enter "AuditPol /get /category:*". -The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. - - - - This applies to domain controllers. It is NA for other systems. +Compare the AuditPol settings with the following. -Review the permissions on Group Policy objects. +If the system does not audit the following, this is a finding. -Open "Group Policy Management" (available from various menus or run "gpmc.msc"). +Account Management >> Other Account Management Events - Success + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + WN16-AU-000120 + Windows Server 2016 must be configured to audit Account Management - Security Group Management successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). +Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members. -For each Group Policy object: +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88075 + V-73423 + CCI-000172 + CCI-000018 + CCI-002130 + CCI-001405 + CCI-001403 + CCI-001404 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Select the Group Policy object item in the left pane. +Use the AuditPol tool to review the current Audit Policy configuration: -Select the "Delegation" tab in the right pane. +Open an elevated "Command Prompt" (run as administrator). -Select the "Advanced" button. +Enter "AuditPol /get /category:*". -Select each Group or user name. +Compare the AuditPol settings with the following. -View the permissions. +If the system does not audit the following, this is a finding. -If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. +Account Management >> Security Group Management - Success + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + WN16-AU-000140 + Windows Server 2016 must be configured to audit Account Management - User Account Management successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. -The default permissions noted below satisfy this requirement. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73427 + SV-88079 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001405 + CCI-001404 + CCI-002130 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. +Use the AuditPol tool to review the current Audit Policy configuration: -Authenticated Users - Read, Apply group policy, Special permissions +Open an elevated "Command Prompt" (run as administrator). -The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. +Enter "AuditPol /get /category:*". -The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. +Compare the AuditPol settings with the following. -CREATOR OWNER - Special permissions -SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions -Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions -Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions -ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions +If the system does not audit the following, this is a finding. -The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. +Account Management >> User Account Management - Success - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000004-GPOS-00004 <GroupDescription></GroupDescription> - - WN16-DC-000100 - The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. - <VulnDiscussion>When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + + WN16-AU-000150 + Windows Server 2016 must be configured to audit Account Management - User Account Management failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain. Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. + V-73429 + SV-88081 + CCI-000172 + CCI-000018 + CCI-002130 + CCI-001405 + CCI-001403 + CCI-001404 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -The default permissions listed below satisfy this requirement. +Use the AuditPol tool to review the current Audit Policy configuration: -Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. +Open an elevated "Command Prompt" (run as administrator). -CREATOR OWNER - Special permissions +Enter "AuditPol /get /category:*". -SELF - Special permissions +Compare the AuditPol settings with the following. -Authenticated Users - Read, Special permissions +If the system does not audit the following, this is a finding. -The special permissions for Authenticated Users are Read types. +Account Management >> User Account Management - Failure + + + + + SRG-OS-000474-GPOS-00219 + <GroupDescription></GroupDescription> + + WN16-AU-000160 + Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -SYSTEM - Full Control +Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88083 + V-73431 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions +Use the AuditPol tool to review the current Audit Policy configuration: -Enterprise Admins - Full Control +Open an elevated "Command Prompt" (run as administrator). -Key Admins - Special permissions +Enter "AuditPol /get /category:*" -Enterprise Key Admins - Special permissions +Compare the AuditPol settings with the following. -Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions +If the system does not audit the following, this is a finding. -Pre-Windows 2000 Compatible Access - Special permissions +Detailed Tracking >> Plug and Play Events - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000170 + Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -The special permissions for Pre-Windows 2000 Compatible Access are Read types. +Process Creation records events related to the creation of a process and the source. -ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions - - - - This applies to domain controllers. It is NA for other systems. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73433 + SV-88085 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Review the permissions on the Domain Controllers OU. +Use the AuditPol tool to review the current Audit Policy configuration: -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Open an elevated "Command Prompt" (run as administrator). -Select "Advanced Features" in the "View" menu if not previously selected. +Enter "AuditPol /get /category:*". -Select the "Domain Controllers" OU (folder in folder icon). +Compare the AuditPol settings with the following. -Right-click and select "Properties". +If the system does not audit the following, this is a finding. -Select the "Security" tab. +Detailed Tracking >> Process Creation - Success + + + + + SRG-OS-000240-GPOS-00090 + <GroupDescription></GroupDescription> + + WN16-AU-000220 + Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. +Account Lockout events can be used to identify potentially malicious logon attempts. -The default permissions listed below satisfy this requirement. +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73443 + SV-88095 + CCI-001404 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. +Use the AuditPol tool to review the current Audit Policy configuration: -The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. +Open an elevated "Command Prompt" (run as administrator). -Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. +Enter "AuditPol /get /category:*" -CREATOR OWNER - Special permissions +Compare the AuditPol settings with the following. -SELF - Special permissions +If the system does not audit the following, this is a finding. -Authenticated Users - Read, Special permissions +Logon/Logoff >> Account Lockout - Success + + + + + SRG-OS-000240-GPOS-00090 + <GroupDescription></GroupDescription> + + WN16-AU-000230 + Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -The special permissions for Authenticated Users are Read types. +Account Lockout events can be used to identify potentially malicious logon attempts. -If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73445 + SV-88097 + CCI-000172 + CCI-001404 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -SYSTEM - Full Control +Use the AuditPol tool to review the current Audit Policy configuration: -Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions +Open an elevated "Command Prompt" (run as administrator). -Enterprise Admins - Full Control +Enter "AuditPol /get /category:*" -Key Admins - Special permissions +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. -Enterprise Key Admins - Special permissions +Logon/Logoff >> Account Lockout - Failure + + + + + SRG-OS-000470-GPOS-00214 + <GroupDescription></GroupDescription> + + WN16-AU-000240 + Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions +Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73447 + SV-88099 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Pre-Windows 2000 Compatible Access - Special permissions +Use the AuditPol tool to review the current Audit Policy configuration: -The Special permissions for Pre-Windows 2000 Compatible Access are Read types. +Open an elevated "Command Prompt" (run as administrator). -If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. +Enter "AuditPol /get /category:*" -ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Group Membership - Success - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000032-GPOS-00013 <GroupDescription></GroupDescription> - - WN16-DC-000110 - Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions. - <VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + + WN16-AU-000250 + Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -For Active Directory, the OU objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. + +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Maintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. + SV-88101 + V-73449 + CCI-000172 + CCI-000067 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. +Use the AuditPol tool to review the current Audit Policy configuration: -CREATOR OWNER - Special permissions +Open an elevated "Command Prompt" (run as administrator). -Self - Special permissions +Enter "AuditPol /get /category:*". -Authenticated Users - Read, Special permissions +Compare the AuditPol settings with the following. -The special permissions for Authenticated Users are Read type. +If the system does not audit the following, this is a finding. -SYSTEM - Full Control +Logon/Logoff >> Logoff - Success + + + + + SRG-OS-000032-GPOS-00013 + <GroupDescription></GroupDescription> + + WN16-AU-000260 + Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Domain Admins - Full Control +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. -Enterprise Admins - Full Control +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88103 + V-73451 + CCI-000067 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Key Admins - Special permissions +Use the AuditPol tool to review the current Audit Policy configuration: -Enterprise Key Admins - Special permissions +Open an elevated "Command Prompt" (run as administrator). -Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions +Enter "AuditPol /get /category:*". -Pre-Windows 2000 Compatible Access - Special permissions +Compare the AuditPol settings with the following. -The special permissions for Pre-Windows 2000 Compatible Access are for Read types. +If the system does not audit the following, this is a finding. -ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions - - - - This applies to domain controllers. It is NA for other systems. +Logon/Logoff >> Logon - Success + + + + + SRG-OS-000032-GPOS-00013 + <GroupDescription></GroupDescription> + + WN16-AU-000270 + Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Review the permissions on domain-defined OUs. +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88105 + V-73453 + CCI-000172 + CCI-000067 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Ensure "Advanced Features" is selected in the "View" menu. +Use the AuditPol tool to review the current Audit Policy configuration: -For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: +Open an elevated "Command Prompt" (run as administrator). -Right-click the OU and select "Properties". +Enter "AuditPol /get /category:*". -Select the "Security" tab. +Compare the AuditPol settings with the following. -If the permissions on the OU are not at least as restrictive as those below, this is a finding. +If the system does not audit the following, this is a finding. -The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. +Logon/Logoff >> Logon - Failure + + + + + SRG-OS-000470-GPOS-00214 + <GroupDescription></GroupDescription> + + WN16-AU-000280 + Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. +Special Logon records special logons that have administrative privileges and can be used to elevate processes. -CREATOR OWNER - Special permissions +Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88107 + V-73455 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Self - Special permissions +Use the AuditPol tool to review the current Audit Policy configuration: -Authenticated Users - Read, Special permissions +Open an elevated "Command Prompt" (run as administrator). -The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. +Enter "AuditPol /get /category:*". -SYSTEM - Full Control +Compare the AuditPol settings with the following. -Domain Admins - Full Control - -Enterprise Admins - Full Control - -Key Admins - Special permissions - -Enterprise Key Admins - Special permissions - -Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions - -Pre-Windows 2000 Compatible Access - Special permissions - -The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. - -ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions - -If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. - -If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). +If the system does not audit the following, this is a finding. -If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). +Logon/Logoff >> Special Logon - Success - - SRG-OS-000138-GPOS-00069 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN16-DC-000120 - Data files owned by users must be on a different logical partition from the directory server data files. - <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + + WN16-AU-000285 + Windows 2016 must be configured to audit Object Access - Other Object Access Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001090 - Move shares used to store files owned by users to a different logical partition than the directory server data files. - - - - This applies to domain controllers. It is NA for other systems. - -Run "Regedit". - -Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". + SV-101009 + V-90359 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Note the directory locations in the values for "DSA Database file". +Use the "AuditPol" tool to review the current Audit Policy configuration: -Open "Command Prompt". +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as Administrator"). -Enter "net share". +Enter "AuditPol /get /category:*" -Note the logical drive(s) or file system partition for any organization-created data shares. +Compare the "AuditPol" settings with the following: -Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. +If the system does not audit the following, this is a finding. -If user shares are located on the same logical partition as the directory server data files, this is a finding. +Object Access >> Other Object Access Events - Success - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN16-DC-000130 - Domain controllers must run on a machine dedicated to that function. - <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. + + WN16-AU-000286 + Windows 2016 must be configured to audit Object Access - Other Object Access Events failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Remove additional roles or applications such as web, database, and email from the domain controller. - - - - This applies to domain controllers, It is NA for other systems. - -Review the installed roles the domain controller is supporting. - -Start "Server Manager". - -Select "AD DS" in the left pane and the server name under "Servers" to the right. - -Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.) - -Determine if any additional server roles are installed. A basic domain controller setup will include the following: + V-90361 + SV-101011 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -- Active Directory Domain Services -- DNS Server -- File and Storage Services +Use the "AuditPol" tool to review the current Audit Policy configuration: -If any roles not requiring installation on a domain controller are installed, this is a finding. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as Administrator"). -A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. +Enter "AuditPol /get /category:*" -Run "Programs and Features". +Compare the "AuditPol" settings with the following: -Review installed applications. +If the system does not audit the following, this is a finding. -If any applications are installed that are not required for the domain controller, this is a finding. +Object Access >> Other Object Access Events - Failure - - SRG-OS-000396-GPOS-00176 + + SRG-OS-000474-GPOS-00219 <GroupDescription></GroupDescription> - - WN16-DC-000140 - Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. - <VulnDiscussion>Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-AU-000290 + Windows Server 2016 must be configured to audit Object Access - Removable Storage successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002450 - Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data. - - - - This applies to domain controllers. It is NA for other systems. + SV-88109 + V-73457 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. +Use the AuditPol tool to review the current Audit Policy configuration: -Determine the classification level of the Windows domain controller. +Open an elevated "Command Prompt" (run as administrator). -If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. +Enter "AuditPol /get /category:*". -If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding. +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000474-GPOS-00219 <GroupDescription></GroupDescription> - - WN16-DC-000150 - Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. - <VulnDiscussion>To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-AU-000300 + Windows Server 2016 must be configured to audit Object Access - Removable Storage failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. - -For AD, there are multiple configuration items that could enable anonymous access. - -Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). - -The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG. - - - - This applies to domain controllers. It is NA for other systems. - -Open "Command Prompt" (not elevated). - -Run "ldp.exe". - -From the "Connection menu", select "Bind". - -Clear the User, Password, and Domain fields. - -Select "Simple bind" for the Bind type and click "OK". - -Confirmation of anonymous access will be displayed at the end: - -res = ldap_simple_bind_s -Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' - -From the "Browse" menu, select "Search". + V-73459 + SV-88111 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. +Use the AuditPol tool to review the current Audit Policy configuration: -Clear the Attributes field and select "Run". +Open an elevated "Command Prompt" (run as administrator). -Error messages should display related to Bind and user not authenticated. +Enter "AuditPol /get /category:*". -If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. +Compare the AuditPol settings with the following. -The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. +If the system does not audit the following, this is a finding. -Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. +Object Access >> Removable Storage - Failure -Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. - - SRG-OS-000163-GPOS-00072 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-DC-000160 - The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. - <VulnDiscussion>The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-AU-000310 + Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001133 - Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. - -Open an elevated "Command prompt" (run as administrator). + V-73461 + SV-88113 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Enter "ntdsutil". +Use the AuditPol tool to review the current Audit Policy configuration: -At the "ntdsutil:" prompt, enter "LDAP policies". +Open an elevated "Command Prompt" (run as administrator). -At the "ldap policy:" prompt, enter "connections". +Enter "AuditPol /get /category:*". -At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). +Compare the AuditPol settings with the following. -At the "server connections:" prompt, enter "q". +If the system does not audit the following, this is a finding. -At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". +Policy Change >> Audit Policy Change - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000320 + Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Enter "Commit Changes" to save. +Audit Policy Change records events related to changes in audit policy. -Enter "Show values" to verify changes. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73463 + SV-88115 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. - - - - This applies to domain controllers. It is NA for other systems. +Use the AuditPol tool to review the current Audit Policy configuration: Open an elevated "Command Prompt" (run as administrator). -Enter "ntdsutil". - -At the "ntdsutil:" prompt, enter "LDAP policies". +Enter "AuditPol /get /category:*". -At the "ldap policy:" prompt, enter "connections". +Compare the AuditPol settings with the following. -At the "server connections:" prompt, enter "connect to server [host-name]" -(where [host-name] is the computer name of the domain controller). +If the system does not audit the following, this is a finding. -At the "server connections:" prompt, enter "q". +Policy Change >> Audit Policy Change - Failure + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000330 + Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -At the "ldap policy:" prompt, enter "show values". +Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes. -If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73465 + SV-88117 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. +Use the AuditPol tool to review the current Audit Policy configuration: -Alternately, Dsquery can be used to display MaxConnIdleTime: +Open an elevated "Command Prompt" (run as administrator). -Open "Command Prompt (Admin)". -Enter the following command (on a single line). +Enter "AuditPol /get /category:*". -dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits +Compare the AuditPol settings with the following. -The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). +If the system does not audit the following, this is a finding. -If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding. +Policy Change >> Authentication Policy Change - Success - + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-DC-000170 - Active Directory Group Policy objects must be configured with proper audit settings. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + + WN16-AU-000340 + Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. +Authorization Policy Change records events related to changes in user rights, such as "Create a token object". -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the audit settings for Group Policy objects to include the following. + SV-88119 + V-73467 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -This can be done at the Policy level in Active Directory to apply to all group policies. +Use the AuditPol tool to review the current Audit Policy configuration: -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Open an elevated "Command Prompt" (run as administrator). -Select "Advanced Features" from the "View" Menu. - -Navigate to [Domain] >> System >> Policies in the left panel. - -Right click "Policies", select "Properties". - -Select the "Security" tab. - -Select the "Advanced" button. - -Select the "Auditing" tab. +Enter "AuditPol /get /category:*". -Type - Fail -Principal - Everyone -Access - Full Control -Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects +Compare the AuditPol settings with the following. -The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. +If the system does not audit the following, this is a finding. -Type - Success -Principal - Everyone -Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) -Inherited from - Parent Object -Applies to - Descendant groupPolicyContainer objects +Policy Change >> Authorization Policy Change - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000350 + Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Two instances with the following summary information will be listed. +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". -Type - Success -Principal - Everyone -Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) -Inherited from - Parent Object -Applies to - Descendant Organization Unit Objects - - - - This applies to domain controllers. It is NA for other systems. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73469 + SV-88121 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Review the auditing configuration for all Group Policy objects. +Use the AuditPol tool to review the current Audit Policy configuration: -Open "Group Policy Management" (available from various menus or run "gpmc.msc"). +Open an elevated "Command Prompt" (run as administrator). -Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). +Enter "AuditPol /get /category:*". -For each Group Policy object: +Compare the AuditPol settings with the following. -Select the Group Policy object item in the left pane. +If the system does not audit the following, this is a finding. -Select the "Delegation" tab in the right pane. +Privilege Use >> Sensitive Privilege Use - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000360 + Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Select the "Advanced" button. +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". -Select the "Advanced" button again and then the "Auditing" tab. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88123 + V-73471 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. +Use the AuditPol tool to review the current Audit Policy configuration: -Type - Fail -Principal - Everyone -Access - Full Control -Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects +Open an elevated "Command Prompt" (run as administrator). -The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. +Enter "AuditPol /get /category:*". -Type - Success -Principal - Everyone -Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) -Inherited from - Parent Object -Applies to - Descendant groupPolicyContainer objects +Compare the AuditPol settings with the following. -Two instances with the following summary information will be listed. +If the system does not audit the following, this is a finding. -Type - Success -Principal - Everyone -Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) -Inherited from - Parent Object -Applies to - Descendant Organization Unit Objects +Privilege Use >> Sensitive Privilege Use - Failure - + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-DC-000180 - The Active Directory Domain object must be configured with proper audit settings. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + + WN16-AU-000370 + Windows Server 2016 must be configured to audit System - IPsec Driver successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. +IPsec Driver records events related to the IPsec Driver, such as dropped packets. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Ensure "Advanced Features" is selected in the "View" menu. - -Select the domain being reviewed in the left pane. - -Right-click the domain name and select "Properties". - -Select the "Security" tab. - -Select the "Advanced" button and then the "Auditing" tab. - -Configure the audit settings for Domain object to include the following. + SV-88125 + V-73473 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None -Applies to - This object only +Use the AuditPol tool to review the current Audit Policy configuration: -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +Open an elevated "Command Prompt" (run as administrator). -Two instances with the following summary information will be listed. +Enter "AuditPol /get /category:*". -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - None -Applies to - Special +Compare the AuditPol settings with the following. -Type - Success -Principal - Domain Users -Access - All extended rights -Inherited from - None -Applies to - This object only +If the system does not audit the following, this is a finding. -Type - Success -Principal - Administrators -Access - All extended rights -Inherited from - None -Applies to - This object only +System >> IPsec Driver - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000380 + Windows Server 2016 must be configured to audit System - IPsec Driver failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -Applies to - This object only -(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.) - - - - This applies to domain controllers. It is NA for other systems. +IPsec Driver records events related to the IPsec Driver, such as dropped packets. -Review the auditing configuration for the Domain object. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88127 + V-73475 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Use the AuditPol tool to review the current Audit Policy configuration: -Ensure "Advanced Features" is selected in the "View" menu. +Open an elevated "Command Prompt" (run as administrator). -Select the domain being reviewed in the left pane. +Enter "AuditPol /get /category:*". -Right-click the domain name and select "Properties". +Compare the AuditPol settings with the following. -Select the "Security" tab. +If the system does not audit the following, this is a finding. -Select the "Advanced" button and then the "Auditing" tab. +System >> IPsec Driver - Failure + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000390 + Windows Server 2016 must be configured to audit System - Other System Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None -Applies to - This object only +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88129 + V-73477 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +Use the AuditPol tool to review the current Audit Policy configuration: -Two instances with the following summary information will be listed. +Open an elevated "Command Prompt" (run as administrator). -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - None -Applies to - Special +Enter "AuditPol /get /category:*" -Type - Success -Principal - Domain Users -Access - All extended rights -Inherited from - None -Applies to - This object only +Compare the AuditPol settings with the following. -Type - Success -Principal - Administrators -Access - All extended rights -Inherited from - None -Applies to - This object only +If the system does not audit the following, this is a finding. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -Applies to - This object only -(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) +System >> Other System Events - Success - + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-DC-000190 - The Active Directory Infrastructure object must be configured with proper audit settings. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + + WN16-AU-000400 + Windows Server 2016 must be configured to audit System - Other System Events failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Ensure "Advanced Features" is selected in the "View" menu. + SV-88131 + V-73479 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Select the domain being reviewed in the left pane. +Use the AuditPol tool to review the current Audit Policy configuration: -Right-click the "Infrastructure" object in the right pane and select "Properties". +Open an elevated "Command Prompt" (run as administrator). -Select the "Security" tab. +Enter "AuditPol /get /category:*". -Select the "Advanced" button and then the "Auditing" tab. +Compare the AuditPol settings with the following. -Configure the audit settings for Infrastructure object to include the following. +If the system does not audit the following, this is a finding. -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None +System >> Other System Events - Failure + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000410 + Windows Server 2016 must be configured to audit System - Security State Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +Security State Change records events related to changes in the security state, such as startup and shutdown of the system. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73481 + SV-88133 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Two instances with the following summary information will be listed. +Use the AuditPol tool to review the current Audit Policy configuration: -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) - - - - This applies to domain controllers. It is NA for other systems. +Open an elevated "Command Prompt" (run as administrator). -Review the auditing configuration for Infrastructure object. +Enter "AuditPol /get /category:*". -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +Compare the AuditPol settings with the following. -Ensure "Advanced Features" is selected in the "View" menu. +If the system does not audit the following, this is a finding. -Select the domain being reviewed in the left pane. +System >> Security State Change - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000420 + Windows Server 2016 must be configured to audit System - Security System Extension successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Right-click the "Infrastructure" object in the right pane and select "Properties". +Security System Extension records events related to extension code being loaded by the security subsystem. -Select the "Security" tab. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73483 + SV-88135 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Select the "Advanced" button and then the "Auditing" tab. +Use the AuditPol tool to review the current Audit Policy configuration: -If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. +Open an elevated "Command Prompt" (run as administrator). -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None +Enter "AuditPol /get /category:*". -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +Compare the AuditPol settings with the following. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) +If the system does not audit the following, this is a finding. -Two instances with the following summary information will be listed. -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) +System >> Security System Extension - Success - + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-DC-000200 - The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + + WN16-AU-000440 + Windows Server 2016 must be configured to audit System - System Integrity successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. +System Integrity records events related to violations of integrity to the security subsystem. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + V-73489 + SV-88141 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Ensure "Advanced Features" is selected in the "View" menu. +Use the AuditPol tool to review the current Audit Policy configuration: -Select the "Domain Controllers OU" under the domain being reviewed in the left pane. +Open an elevated "Command Prompt" (run as administrator). -Right-click the "Domain Controllers OU" object and select "Properties". +Enter "AuditPol /get /category:*". -Select the "Security" tab. +Compare the AuditPol settings with the following. -Select the "Advanced" button and then the "Auditing" tab. +If the system does not audit the following, this is a finding. -Configure the audit settings for Domain Controllers OU object to include the following. +System >> System Integrity - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-AU-000450 + Windows Server 2016 must be configured to audit System - System Integrity failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None +System Integrity records events related to violations of integrity to the security subsystem. -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88143 + V-73491 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -Applies to - This object only -(Access - Special = Permissions: all create, delete and modify permissions) +Use the AuditPol tool to review the current Audit Policy configuration: -Type - Success -Principal - Everyone -Access - Write all properties -Inherited from - None -Applies to - This object and all descendant objects +Open an elevated "Command Prompt" (run as administrator). -Two instances with the following summary information will be listed. +Enter "AuditPol /get /category:*". -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) -Applies to - Descendant Organizational Unit objects - - - - This applies to domain controllers. It is NA for other systems. +Compare the AuditPol settings with the following. -Review the auditing configuration for the Domain Controller OU object. +If the system does not audit the following, this is a finding. -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). +System >> System Integrity - Failure + + + + + SRG-OS-000095-GPOS-00049 + <GroupDescription></GroupDescription> + + WN16-CC-000010 + The display of slide shows on the lock screen must be disabled. + <VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88145 + V-73493 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled". + + + + Verify the registry value below. -Ensure "Advanced Features" is selected in the "View" menu. +If it does not exist or is not configured as specified, this is a finding. -Select the "Domain Controllers OU" under the domain being reviewed in the left pane. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ -Right-click the "Domain Controllers OU" object and select "Properties". +Value Name: NoLockScreenSlideshow -Select the "Security" tab. +Value Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000095-GPOS-00049 + <GroupDescription></GroupDescription> + + WN16-CC-000030 + WDigest Authentication must be disabled on Windows Server 2016. + <VulnDiscussion>When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows Server 2016. This setting ensures this is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88149 + V-73497 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". -Select the "Advanced" button and then the "Auditing" tab. +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None -Applies to - This object and all descendant objects +Value Name: UseLogonCredential -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +Type: REG_DWORD +Value: 0x00000000 (0) + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN16-CC-000040 + Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. + <VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73499 + SV-88151 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -Applies to - This object only -(Access - Special = Permissions: all create, delete and modify permissions) +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Type - Success -Principal - Everyone -Access - Write all properties -Inherited from - None -Applies to - This object and all descendant objects +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ -Two instances with the following summary information will be listed. +Value Name: DisableIPSourceRouting -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) -Applies to - Descendant Organizational Unit objects +Type: REG_DWORD +Value: 0x00000002 (2) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-DC-000210 - The Active Directory AdminSDHolder object must be configured with proper audit settings. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. - -For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000050 + Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. + <VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Ensure "Advanced Features" is selected in the "View" menu. - -Select "System" under the domain being reviewed in the left pane. - -Right-click the "AdminSDHolder" object in the right pane and select "Properties". + SV-88153 + V-73501 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. -Select the "Security" tab. +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Select the "Advanced" button and then the "Auditing" tab. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -Configure the audit settings for AdminSDHolder object to include the following. +Value Name: DisableIPSourceRouting -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None -Applies to - This object only - -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. - -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -Applies to - This object only -(Access - Special = Write all properties, Modify permissions, Modify owner) - -Two instances with the following summary information will be listed. - -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) -Applies to - Descendant Organizational Unit objects - - - - This applies to domain controllers. It is NA for other systems. - -Review the auditing configuration for the "AdminSDHolder" object. - -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Ensure "Advanced Features" is selected in the "View" menu. - -Select "System" under the domain being reviewed in the left pane. - -Right-click the "AdminSDHolder" object in the right pane and select "Properties". - -Select the "Security" tab. - -Select the "Advanced" button and then the "Auditing" tab. - -If the audit settings on the "AdminSDHolder" object are not at least as inclusive as those below, this is a finding. - -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None -Applies to - This object only - -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. - -Type - Success -Principal - Everyone -Access - Special -Inherited from - None -Applies to - This object only -(Access - Special = Write all properties, Modify permissions, Modify owner) - -Two instances with the following summary information will be listed. - -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) -Applies to - Descendant Organizational Unit objects +Value Type: REG_DWORD +Value: 0x00000002 (2) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-DC-000220 - The Active Directory RID Manager$ object must be configured with proper audit settings. - <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. - -For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000060 + Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. + <VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Ensure "Advanced Features" is selected in the "View" menu. - -Select "System" under the domain being reviewed in the left pane. - -Right-click the "RID Manager$" object in the right pane and select "Properties". - -Select the "Security" tab. - -Select the "Advanced" button and then the "Auditing" tab. - -Configure the audit settings for RID Manager$ object to include the following. - -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None - -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. - -Type - Success -Principal - Everyone -Access - Special -Inherited from - None - (Access - Special = Write all properties, All extended rights, Change RID master) - -Two instances with the following summary information will be listed. - -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) - - - - This applies to domain controllers. It is NA for other systems. - -Review the auditing configuration for the "RID Manager$" object. - -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Ensure "Advanced Features" is selected in the "View" menu. - -Select "System" under the domain being reviewed in the left pane. - -Right-click the "RID Manager$" object in the right pane and select "Properties". - -Select the "Security" tab. - -Select the "Advanced" button and then the "Auditing" tab. - -If the audit settings on the "RID Manager$" object are not at least as inclusive as those below, this is a finding. - -Type - Fail -Principal - Everyone -Access - Full Control -Inherited from - None + SV-88155 + V-73503 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". -The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Type - Success -Principal - Everyone -Access - Special -Inherited from - None - (Access - Special = Write all properties, All extended rights, Change RID master) +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -Two instances with the following summary information will be listed. +Value Name: EnableICMPRedirect -Type - Success -Principal - Everyone -Access - (blank) -Inherited from - (CN of domain) +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000342-GPOS-00133 + + SRG-OS-000420-GPOS-00186 <GroupDescription></GroupDescription> - - WN16-AU-000010 - Audit records must be backed up to a different system or media than the system being audited. - <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000070 + Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers. + <VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001851 - Establish and implement a process for backing up log data to another system or media other than the system being audited. - - - - Determine if a process to back up log data to a different system or media than the system being audited has been implemented. + SV-88157 + V-73505 + CCI-002385 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". -If it has not, this is a finding. +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000479-GPOS-00224 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000020 - Windows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. - <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000080 + Insecure logons to an SMB server must be disabled. + <VulnDiscussion>Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001851 - Configure the system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. - - - - Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. + SV-88159 + V-73507 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -If they are not, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ + +Value Name: AllowInsecureGuestAuth + +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000057-GPOS-00027 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000030 - Permissions for the Application event log must prevent access by non-privileged accounts. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000090 + Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. + <VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000162 - CCI-000163 - CCI-000164 - Configure the permissions on the Application event log file (Application.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: + V-73509 + SV-88161 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths": (click the "Show" button to display) -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +Value Name: \\*\SYSVOL +Value: RequireMutualAuthentication=1, RequireIntegrity=1 -The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. +Value Name: \\*\NETLOGON +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + + + + This requirement is applicable to domain-joined systems. For standalone systems, this is NA. -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". - - - - Navigate to the Application event log file. +If the following registry values do not exist or are not configured as specified, this is a finding. -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ -If the permissions for the "Application.evtx" file are not as restrictive as the default permissions listed below, this is a finding. +Value Name: \\*\NETLOGON +Value Type: REG_SZ +Value: RequireMutualAuthentication=1, RequireIntegrity=1 -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +Value Name: \\*\SYSVOL +Value Type: REG_SZ +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + +Additional entries would not be a finding. - - SRG-OS-000057-GPOS-00027 + + SRG-OS-000042-GPOS-00020 <GroupDescription></GroupDescription> - - WN16-AU-000040 - Permissions for the Security event log must prevent access by non-privileged accounts. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied. + + WN16-CC-000100 + Command line data must be included in process creation events. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000162 - CCI-000163 - CCI-000164 - Configure the permissions on the Security event log file (Security.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". - - - - Navigate to the Security event log file. + SV-88163 + V-73511 + CCI-000135 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ -If the permissions for the "Security.evtx" file are not as restrictive as the default permissions listed below, this is a finding. +Value Name: ProcessCreationIncludeCmdLine_Enabled -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000057-GPOS-00027 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000050 - Permissions for the System event log must prevent access by non-privileged accounts. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000110 + Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. + <VulnDiscussion>Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000162 - CCI-000163 - CCI-000164 - Configure the permissions on the System event log file (System.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: + V-73513 + SV-88165 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: -The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. +https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard + + + + For standalone systems, this is NA. -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". - - - - Navigate to the System event log file. +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. +Open "PowerShell" with elevated privileges (run as administrator). -If the permissions for the "System.evtx" file are not as restrictive as the default permissions listed below, this is a finding. +Enter the following: -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - - - - - SRG-OS-000257-GPOS-00098 - <GroupDescription></GroupDescription> - - WN16-AU-000060 - Event Viewer must be protected from unauthorized modification and deletion. - <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" -Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools. +If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. -Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001494 - CCI-001495 - Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement: +If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). -TrustedInstaller - Full Control -Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute +If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. -The default location is the "%SystemRoot%\ System32" folder. - - - - Navigate to "%SystemRoot%\System32". +Alternately: -View the permissions on "Eventvwr.exe". +Run "System Information". -If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding. +Under "System Summary", verify the following: -The default permissions below satisfy this requirement: +If "Device Guard Virtualization based security" does not display "Running", this is finding. -TrustedInstaller - Full Control -Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute - - - - - SRG-OS-000470-GPOS-00214 - <GroupDescription></GroupDescription> - - WN16-AU-000070 - Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is finding. -Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. +If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). -Use the AuditPol tool to review the current Audit Policy configuration: +The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. -Open an elevated "Command Prompt" (run as administrator). +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ -Enter "AuditPol /get /category:*". +Value Name: EnableVirtualizationBasedSecurity +Value Type: REG_DWORD +Value: 0x00000001 (1) -Compare the AuditPol settings with the following. +Value Name: RequirePlatformSecurityFeatures +Value Type: REG_DWORD +Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) -If the system does not audit the following, this is a finding. +A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: -Account Logon >> Credential Validation - Success +https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000080 - Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000140 + Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. + <VulnDiscussion>Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + SV-88173 + V-73521 + CCI-000366 + The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). -Use the AuditPol tool to review the current Audit Policy configuration: +If this needs to be corrected or a more secure setting is desired, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Not Configured" or "Enabled" with any option other than "All" selected. + + + + The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). -Open an elevated "Command Prompt" (run as administrator). +If the registry value name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*". +If it exists and is configured with a value of "0x00000007 (7)", this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ -If the system does not audit the following, this is a finding. +Value Name: DriverLoadPolicy -Account Logon >> Credential Validation - Failure +Value Type: REG_DWORD +Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist) + +Possible values for this setting are: +8 - Good only +1 - Good and unknown +3 - Good, unknown and bad but critical +7 - All (which includes "bad" and would be a finding) - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-DC-000230 - Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Computer Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling computer accounts. - -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000150 + Group Policy objects must be reprocessed even if they have not changed. + <VulnDiscussion>Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected. - - - - This applies to domain controllers. It is NA for other systems. - -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88177 + V-73525 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" with the option "Process even if the Group Policy objects have not changed" selected. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ -If the system does not audit the following, this is a finding. +Value Name: NoGPOListChanges -Account Management >> Computer Account Management - Success +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000100 - Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called. + + WN16-CC-000160 + Downloading print driver packages over HTTP must be prevented. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Other Account Management Events" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88179 + V-73527 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ -If the system does not audit the following, this is a finding. +Value Name: DisableWebPnPDownload -Account Management >> Other Account Management Events - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000120 - Windows Server 2016 must be configured to audit Account Management - Security Group Management successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members. + + WN16-CC-000170 + Printing over HTTP must be prevented. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + V-73529 + SV-88181 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ -If the system does not audit the following, this is a finding. +Value Name: DisableHTTPPrinting -Account Management >> Security Group Management - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000140 - Windows Server 2016 must be configured to audit Account Management - User Account Management successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. - -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000180 + The network selection user interface (UI) must not be displayed on the logon screen. + <VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + V-73531 + SV-88185 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled". + + + + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ -If the system does not audit the following, this is a finding. +Value Name: DontDisplayNetworkSelectionUI -Account Management >> User Account Management - Success +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000150 - Windows Server 2016 must be configured to audit Account Management - User Account Management failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. - -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000210 + Users must be prompted to authenticate when the system wakes from sleep (on battery). + <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88197 + V-73537 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ -If the system does not audit the following, this is a finding. +Value Name: DCSettingIndex -Account Management >> User Account Management - Failure +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000474-GPOS-00219 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000160 - Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000220 + Users must be prompted to authenticate when the system wakes from sleep (plugged in). + <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*" + SV-88201 + V-73539 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ -If the system does not audit the following, this is a finding. +Value Name: ACSettingIndex -Detailed Tracking >> Plug and Play Events - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000170 - Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Process Creation records events related to the creation of a process and the source. + + WN16-CC-000240 + The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88207 + V-73543 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ -If the system does not audit the following, this is a finding. +Value Name: DisableInventory -Detailed Tracking >> Process Creation - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - WN16-DC-000240 - Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Directory Service Access records events related to users accessing an Active Directory object. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000250 + AutoPlay must be turned off for non-volume devices. + <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Success" selected. - - - - This applies to domain controllers. It is NA for other systems. - -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88209 + V-73545 + CCI-001764 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ -If the system does not audit the following, this is a finding. +Value Name: NoAutoplayfornonVolume -DS Access >> Directory Service Access - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - WN16-DC-000250 - Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Directory Service Access records events related to users accessing an Active Directory object. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000260 + The default AutoRun behavior must be configured to prevent AutoRun commands. + <VulnDiscussion>Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Failure" selected. - - - - This applies to domain controllers. It is NA for other systems. - -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + V-73547 + SV-88211 + CCI-001764 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ -If the system does not audit the following, this is a finding. +Value Name: NoAutorun -DS Access >> Directory Service Access - Failure +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - WN16-DC-000260 - Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000270 + AutoPlay must be disabled for all drives. + <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Success" selected. - - - - This applies to domain controllers. It is NA for other systems. - -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88213 + V-73549 + CCI-001764 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -If the system does not audit the following, this is a finding. +Value Name: NoDriveTypeAutoRun -DS Access >> Directory Service Changes - Success +Type: REG_DWORD +Value: 0x000000ff (255) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN16-DC-000270 - Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000280 + Administrator accounts must not be enumerated during elevation. + <VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Failure" selected. - - - - This applies to domain controllers. It is NA for other systems. - -Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88139 + V-73487 + CCI-001084 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ -If the system does not audit the following, this is a finding. +Value Name: EnumerateAdministrators -DS Access >> Directory Service Changes - Failure +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000240-GPOS-00090 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000220 - Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Account Lockout events can be used to identify potentially malicious logon attempts. - -Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000290 + Windows Telemetry must be configured to Security or Basic. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-001404 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*" + SV-88215 + V-73551 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds>> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ -If the system does not audit the following, this is a finding. +Value Name: AllowTelemetry -Logon/Logoff >> Account Lockout - Success +Type: REG_DWORD +Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic) - - SRG-OS-000240-GPOS-00090 + + SRG-OS-000341-GPOS-00132 <GroupDescription></GroupDescription> - - WN16-AU-000230 - Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Account Lockout events can be used to identify potentially malicious logon attempts. - -Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000300 + The Application event log size must be configured to 32768 KB or greater. + <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-001404 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: + V-73553 + SV-88217 + CCI-001849 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. + + + + If the system is configured to write events directly to an audit server, this is NA. -Open an elevated "Command Prompt" (run as administrator). +If the following registry value does not exist or is not configured as specified, this is a finding. -Enter "AuditPol /get /category:*" +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ -Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. +Value Name: MaxSize -Logon/Logoff >> Account Lockout - Failure +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000341-GPOS-00132 <GroupDescription></GroupDescription> - - WN16-AU-000240 - Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000310 + The Security event log size must be configured to 196608 KB or greater. + <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). + SV-88219 + V-73555 + CCI-001849 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater. + + + + If the system is configured to write events directly to an audit server, this is NA. -Enter "AuditPol /get /category:*" +If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ -If the system does not audit the following, this is a finding. +Value Name: MaxSize -Logon/Logoff >> Group Membership - Success +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater) - - SRG-OS-000032-GPOS-00013 + + SRG-OS-000341-GPOS-00132 <GroupDescription></GroupDescription> - - WN16-AU-000250 - Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. - -Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000320 + The System event log size must be configured to 32768 KB or greater. + <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000067 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + V-73557 + SV-88221 + CCI-001849 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. + + + + If the system is configured to write events directly to an audit server, this is NA. -Use the AuditPol tool to review the current Audit Policy configuration: +If the following registry value does not exist or is not configured as specified, this is a finding. -Open an elevated "Command Prompt" (run as administrator). +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ -Enter "AuditPol /get /category:*". +Value Name: MaxSize -Compare the AuditPol settings with the following. - -If the system does not audit the following, this is a finding. - -Logon/Logoff >> Logoff - Success +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) - - SRG-OS-000032-GPOS-00013 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000260 - Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. - -Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000330 + Windows Server 2016 Windows SmartScreen must be enabled. + <VulnDiscussion>Windows SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen will warn users of potentially malicious programs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000067 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). + SV-88223 + V-73559 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled". + + + + This is applicable to unclassified systems; for other systems, this is NA. -Enter "AuditPol /get /category:*". +If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ -If the system does not audit the following, this is a finding. +Value Name: EnableSmartScreen -Logon/Logoff >> Logon - Success +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000032-GPOS-00013 + + SRG-OS-000433-GPOS-00192 <GroupDescription></GroupDescription> - - WN16-AU-000270 - Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. - -Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000340 + Explorer Data Execution Prevention must be enabled. + <VulnDiscussion>Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000067 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + SV-88225 + V-73561 + CCI-002824 + The default behavior is for data execution prevention to be turned on for File Explorer. -Use the AuditPol tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled". + + + + The default behavior is for Data Execution Prevention to be turned on for File Explorer. -Open an elevated "Command Prompt" (run as administrator). +If the registry value name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*". +If it exists and is configured with a value of "0", this is not a finding. -Compare the AuditPol settings with the following. +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ -Logon/Logoff >> Logon - Failure +Value Name: NoDataExecutionPrevention + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000280 - Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Special Logon records special logons that have administrative privileges and can be used to elevate processes. - -Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000350 + Turning off File Explorer heap termination on corruption must be disabled. + <VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + V-73563 + SV-88227 + CCI-000366 + The default behavior is for File Explorer heap termination on corruption to be disabled. -Use the AuditPol tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled". + + + + The default behavior is for File Explorer heap termination on corruption to be enabled. -Open an elevated "Command Prompt" (run as administrator). +If the registry Value Name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*". +If it exists and is configured with a value of "0", this is not a finding. -Compare the AuditPol settings with the following. +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ -Logon/Logoff >> Special Logon - Success +Value Name: NoHeapTerminationOnCorruption + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000474-GPOS-00219 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000290 - Windows Server 2016 must be configured to audit Object Access - Removable Storage successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000360 + File Explorer shell protocol must run in protected mode. + <VulnDiscussion>The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + V-73565 + SV-88229 + CCI-000366 + The default behavior is for shell protected mode to be turned on for File Explorer. -Use the AuditPol tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled". + + + + The default behavior is for shell protected mode to be turned on for File Explorer. -Open an elevated "Command Prompt" (run as administrator). +If the registry value name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*". +If it exists and is configured with a value of "0", this is not a finding. -Compare the AuditPol settings with the following. +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ -Object Access >> Removable Storage - Success +Value Name: PreXPSP2ShellProtocolBehavior -Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000474-GPOS-00219 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN16-AU-000300 - Windows Server 2016 must be configured to audit Object Access - Removable Storage failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + + WN16-CC-000370 + Passwords must not be saved in the Remote Desktop Client. + <VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client. -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. + V-73567 + SV-88231 + CCI-002038 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -Object Access >> Removable Storage - Failure +Value Name: DisablePasswordSaving -Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - WN16-AU-000310 - Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000380 + Local drives must be prevented from sharing with Remote Desktop Session Hosts. + <VulnDiscussion>Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88233 + V-73569 + CCI-001090 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -If the system does not audit the following, this is a finding. +Value Name: fDisableCdm -Policy Change >> Audit Policy Change - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN16-AU-000320 - Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy. + + WN16-CC-000390 + Remote Desktop Services must always prompt a client for passwords upon connection. + <VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88235 + V-73571 + CCI-002038 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -If the system does not audit the following, this is a finding. +Value Name: fPromptForPassword -Policy Change >> Audit Policy Change - Failure +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000250-GPOS-00093 <GroupDescription></GroupDescription> - - WN16-AU-000330 - Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000400 + The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications. + <VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88237 + V-73573 + CCI-001453 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -If the system does not audit the following, this is a finding. +Value Name: fEncryptRPCTraffic -Policy Change >> Authentication Policy Change - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000250-GPOS-00093 <GroupDescription></GroupDescription> - - WN16-AU-000340 - Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authorization Policy Change records events related to changes in user rights, such as "Create a token object". - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000410 + Remote Desktop Services must be configured with the client connection encryption set to High Level. + <VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + V-73575 + SV-88239 + CCI-001453 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected. + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -If the system does not audit the following, this is a finding. +Value Name: MinEncryptionLevel -Policy Change >> Authorization Policy Change - Success +Type: REG_DWORD +Value: 0x00000003 (3) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000350 - Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000420 + Attachments must be prevented from being downloaded from RSS feeds. + <VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88241 + V-73577 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ -If the system does not audit the following, this is a finding. +Value Name: DisableEnclosureDownload -Privilege Use >> Sensitive Privilege Use - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000360 - Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". + + WN16-CC-000421 + The Windows Explorer Preview pane must be disabled for Windows Server 2016. + <VulnDiscussion>A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Organizations must disable the Windows Preview pane and Windows Detail pane.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + SV-111573 + V-102623 + CCI-000366 + Ensure the following settings are configured for Windows Server 2016 locally or applied through group policy. -Use the AuditPol tool to review the current Audit Policy configuration: +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn off Preview Pane" to "Enabled". -Open an elevated "Command Prompt" (run as administrator). +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide". + + + + If the following registry values do not exist or are not configured as specified, this is a finding: -Enter "AuditPol /get /category:*". +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -Compare the AuditPol settings with the following. +Value Name: NoPreviewPane -If the system does not audit the following, this is a finding. +Value Type: REG_DWORD -Privilege Use >> Sensitive Privilege Use - Failure +Value: 1 + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoReadingPane + +Value Type: REG_DWORD + +Value: 1 + - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000370 - Windows Server 2016 must be configured to audit System - IPsec Driver successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPsec Driver records events related to the IPsec Driver, such as dropped packets. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000430 + Basic authentication for RSS feeds over HTTP must not be used. + <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + V-73579 + SV-88243 + CCI-000381 + The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. -Use the AuditPol tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled". + + + + The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. -Open an elevated "Command Prompt" (run as administrator). +If the registry value name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*". +If it exists and is configured with a value of "0", this is not a finding. -Compare the AuditPol settings with the following. +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ -System >> IPsec Driver - Success +Value Name: AllowBasicAuthInClear + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN16-AU-000380 - Windows Server 2016 must be configured to audit System - IPsec Driver failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPsec Driver records events related to the IPsec Driver, such as dropped packets. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000440 + Indexing of encrypted files must be turned off. + <VulnDiscussion>Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + V-73581 + SV-88245 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ -If the system does not audit the following, this is a finding. +Value Name: AllowIndexingEncryptedStoresOrItems -System >> IPsec Driver - Failure +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000362-GPOS-00149 <GroupDescription></GroupDescription> - - WN16-AU-000390 - Windows Server 2016 must be configured to audit System - Other System Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000450 + Users must be prevented from changing installation options. + <VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + SV-88247 + V-73583 + CCI-001812 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Use the AuditPol tool to review the current Audit Policy configuration: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ -Open an elevated "Command Prompt" (run as administrator). +Value Name: EnableUserControl -Enter "AuditPol /get /category:*" +Type: REG_DWORD +Value: 0x00000000 (0) + + + + + SRG-OS-000362-GPOS-00149 + <GroupDescription></GroupDescription> + + WN16-CC-000460 + The Windows Installer Always install with elevated privileges option must be disabled. + <VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73585 + SV-88249 + CCI-001812 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ -If the system does not audit the following, this is a finding. +Value Name: AlwaysInstallElevated -System >> Other System Events - Success +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-AU-000400 - Windows Server 2016 must be configured to audit System - Other System Events failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000470 + Users must be notified if a web-based program attempts to install software. + <VulnDiscussion>Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + SV-88251 + V-73587 + CCI-000366 + The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. -Use the AuditPol tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled". + + + + The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. -Open an elevated "Command Prompt" (run as administrator). +If the registry value name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*". +If it exists and is configured with a value of "0", this is not a finding. -Compare the AuditPol settings with the following. +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ -System >> Other System Events - Failure +Value Name: SafeForScripting + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - - WN16-AU-000410 - Windows Server 2016 must be configured to audit System - Security State Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security State Change records events related to changes in the security state, such as startup and shutdown of the system. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000480 + Automatically signing in the last interactive user after a system-initiated restart must be disabled. + <VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88253 + V-73589 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled". + + + + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -If the system does not audit the following, this is a finding. +Value Name: DisableAutomaticRestartSignOn -System >> Security State Change - Success +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000042-GPOS-00020 <GroupDescription></GroupDescription> - - WN16-AU-000420 - Windows Server 2016 must be configured to audit System - Security System Extension successes. + + WN16-CC-000490 + PowerShell script block logging must be enabled. <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Security System Extension records events related to extension code being loaded by the security subsystem. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88255 + V-73591 + CCI-000135 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ -If the system does not audit the following, this is a finding. +Value Name: EnableScriptBlockLogging -System >> Security System Extension - Success +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000125-GPOS-00065 <GroupDescription></GroupDescription> - - WN16-CC-000280 - Administrator accounts must not be enumerated during elevation. - <VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000500 + The Windows Remote Management (WinRM) client must not use Basic authentication. + <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001084 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled". - - - + SV-88257 + V-73593 + CCI-000877 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ -Value Name: EnumerateAdministrators +Value Name: AllowBasic Type: REG_DWORD Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000393-GPOS-00173 <GroupDescription></GroupDescription> - - WN16-AU-000440 - Windows Server 2016 must be configured to audit System - System Integrity successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem. + + WN16-CC-000510 + The Windows Remote Management (WinRM) client must not allow unencrypted traffic. + <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + V-73595 + SV-88259 + CCI-002890 + CCI-003123 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Use the AuditPol tool to review the current Audit Policy configuration: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ -Open an elevated "Command Prompt" (run as administrator). +Value Name: AllowUnencryptedTraffic -Enter "AuditPol /get /category:*". - -Compare the AuditPol settings with the following. - -If the system does not audit the following, this is a finding. - -System >> System Integrity - Success +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000125-GPOS-00065 <GroupDescription></GroupDescription> - - WN16-AU-000450 - Windows Server 2016 must be configured to audit System - System Integrity failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000520 + The Windows Remote Management (WinRM) client must not use Digest authentication. + <VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the AuditPol tool to review the current Audit Policy configuration: - -Open an elevated "Command Prompt" (run as administrator). - -Enter "AuditPol /get /category:*". + SV-88261 + V-73597 + CCI-000877 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Compare the AuditPol settings with the following. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ -If the system does not audit the following, this is a finding. +Value Name: AllowDigest -System >> System Integrity - Failure +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000125-GPOS-00065 <GroupDescription></GroupDescription> - - WN16-CC-000010 - The display of slide shows on the lock screen must be disabled. - <VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000530 + The Windows Remote Management (WinRM) service must not use Basic authentication. + <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled". - - - - Verify the registry value below. - -If it does not exist or is not configured as specified, this is a finding. + SV-88263 + V-73599 + CCI-000877 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Value Name: NoLockScreenSlideshow +Value Name: AllowBasic -Value Type: REG_DWORD -Value: 0x00000001 (1) +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000393-GPOS-00173 <GroupDescription></GroupDescription> - - WN16-CC-000030 - WDigest Authentication must be disabled on Windows Server 2016. - <VulnDiscussion>When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows Server 2016. This setting ensures this is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000540 + The Windows Remote Management (WinRM) service must not allow unencrypted traffic. + <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. + +Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - + SV-88265 + V-73601 + CCI-002890 + CCI-003123 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Value Name: UseLogonCredential +Value Name: AllowUnencryptedTraffic -Type: REG_DWORD -Value: 0x00000000 (0) +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN16-CC-000040 - Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. - <VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-CC-000550 + The Windows Remote Management (WinRM) service must not store RunAs credentials. + <VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. - -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - + V-73603 + SV-88267 + CCI-002038 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Value Name: DisableIPSourceRouting +Value Name: DisableRunAs Type: REG_DWORD -Value: 0x00000002 (2) +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-CC-000050 - Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. - <VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000010 + Only administrators responsible for the domain controller must have Administrator rights on the system. + <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. + +System administrators must log on to systems using only accounts with the minimum level of authority necessary. + +Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. + V-73219 + SV-87871 + CCI-002235 + Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Remove any standard user accounts. + + + + This applies to domain controllers. A separate version applies to other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ +Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. -Value Name: DisableIPSourceRouting +Standard user accounts must not be members of the local administrator group. -Value Type: REG_DWORD -Value: 0x00000002 (2) +If prohibited accounts are members of the local administrators group, this is a finding. + +If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000112-GPOS-00057 <GroupDescription></GroupDescription> - - WN16-CC-000060 - Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. - <VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000020 + Kerberos user logon restrictions must be enforced. + <VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". + SV-88011 + V-73359 + CCI-001941 + CCI-001942 + Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled". + + + + This applies to domain controllers. It is NA for other systems. -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Verify the following is configured in the Default Domain Policy. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ +Open "Group Policy Management". -Value Name: EnableICMPRedirect +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). -Value Type: REG_DWORD -Value: 0x00000000 (0) +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding. - - SRG-OS-000420-GPOS-00186 + + SRG-OS-000112-GPOS-00057 <GroupDescription></GroupDescription> - - WN16-CC-000070 - Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers. - <VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000030 + The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. + <VulnDiscussion>This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002385 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". + SV-88013 + V-73361 + CCI-001941 + CCI-001942 + Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for service ticket" to a maximum of "600" minutes, but not "0", which equates to "Ticket doesn't expire". + + + + This applies to domain controllers. It is NA for other systems. -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Verify the following is configured in the Default Domain Policy. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ +Open "Group Policy Management". -Value Name: NoNameReleaseOnDemand +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). -Value Type: REG_DWORD -Value: 0x00000001 (1) +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000112-GPOS-00057 <GroupDescription></GroupDescription> - - WN16-CC-000080 - Insecure logons to an SMB server must be disabled. - <VulnDiscussion>Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000040 + The Kerberos user ticket lifetime must be limited to 10 hours or less. + <VulnDiscussion>In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88015 + V-73363 + CCI-001941 + CCI-001942 + Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket" to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire". + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ +Verify the following is configured in the Default Domain Policy. -Value Name: AllowInsecureGuestAuth +Open "Group Policy Management". -Type: REG_DWORD -Value: 0x00000000 (0) +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000112-GPOS-00057 <GroupDescription></GroupDescription> - - WN16-CC-000090 - Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. - <VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000050 + The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. + <VulnDiscussion>This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths": (click the "Show" button to display) + SV-88017 + V-73365 + CCI-001941 + CCI-001942 + Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket renewal" to a maximum of "7" days or less. + + + + This applies to domain controllers. It is NA for other systems. -Value Name: \\*\SYSVOL -Value: RequireMutualAuthentication=1, RequireIntegrity=1 +Verify the following is configured in the Default Domain Policy. -Value Name: \\*\NETLOGON -Value: RequireMutualAuthentication=1, RequireIntegrity=1 - - - - This requirement is applicable to domain-joined systems. For standalone systems, this is NA. +Open "Group Policy Management". -If the following registry values do not exist or are not configured as specified, this is a finding. +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ +Right-click on the "Default Domain Policy". -Value Name: \\*\NETLOGON -Value Type: REG_SZ -Value: RequireMutualAuthentication=1, RequireIntegrity=1 +Select "Edit". -Value Name: \\*\SYSVOL -Value Type: REG_SZ -Value: RequireMutualAuthentication=1, RequireIntegrity=1 +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. -Additional entries would not be a finding. +If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding. - - SRG-OS-000042-GPOS-00020 + + SRG-OS-000112-GPOS-00057 <GroupDescription></GroupDescription> - - WN16-CC-000100 - Command line data must be included in process creation events. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + + WN16-DC-000060 + The computer clock synchronization tolerance must be limited to 5 minutes or less. + <VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible. -Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000135 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88019 + V-73367 + CCI-001941 + CCI-001942 + Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum tolerance for computer clock synchronization" to a maximum of "5" minutes or less. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ +Verify the following is configured in the Default Domain Policy. -Value Name: ProcessCreationIncludeCmdLine_Enabled +Open "Group Policy Management". -Value Type: REG_DWORD -Value: 0x00000001 (1) - - +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding. + + - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-CC-000110 - Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. - <VulnDiscussion>Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000070 + Permissions on the Active Directory data files must only allow System and Administrators access. + <VulnDiscussion>Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. - -A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: - -https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard - - - - For standalone systems, this is NA. - -Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. - -Open "PowerShell" with elevated privileges (run as administrator). - -Enter the following: - -"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" + SV-88021 + V-73369 + CCI-002235 + Maintain the permissions on NTDS database and log files as follows: -If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. - -If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) -If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. +(I) - permission inherited from parent container +(F) - full access + + + + This applies to domain controllers. It is NA for other systems. -Alternately: +Run "Regedit". -Run "System Information". +Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". -Under "System Summary", verify the following: +Note the directory locations in the values for: -If "Device Guard Virtualization based security" does not display "Running", this is finding. +Database log files path +DSA Database file -If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is finding. +By default, they will be \Windows\NTDS. -If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). +If the locations are different, the following will need to be run for each. -The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. +Open "Command Prompt (Admin)". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ +Navigate to the NTDS directory (\Windows\NTDS by default). -Value Name: EnableVirtualizationBasedSecurity -Value Type: REG_DWORD -Value: 0x00000001 (1) +Run "icacls *.*". -Value Name: RequirePlatformSecurityFeatures -Value Type: REG_DWORD -Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) +If the permissions on each file are not as restrictive as the following, this is a finding. -A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) -https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard +(I) - permission inherited from parent container +(F) - full access - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-CC-000140 - Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. - <VulnDiscussion>Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000080 + The Active Directory SYSVOL directory must have the proper access control permissions. + <VulnDiscussion>Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. + +The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Data in shared subdirectories are replicated to all domain controllers in a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). - -If this needs to be corrected or a more secure setting is desired, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Not Configured" or "Enabled" with any option other than "All" selected. - - - - The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). + SV-88023 + V-73371 + CCI-002235 + Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement. -If the registry value name below does not exist, this is not a finding. +C:\Windows\SYSVOL +Type - "Allow" for all +Inherited from - "None" for all -If it exists and is configured with a value of "0x00000007 (7)", this is a finding. +Principal - Access - Applies to -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ +Authenticated Users - Read & execute - This folder, subfolder, and files +Server Operators - Read & execute- This folder, subfolder, and files +Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) +CREATOR OWNER - Full control - Subfolders and files only +Administrators - Full control - Subfolders and files only +SYSTEM - Full control - This folder, subfolders, and files + + + + This applies to domain controllers. It is NA for other systems. -Value Name: DriverLoadPolicy +Open a command prompt. -Value Type: REG_DWORD -Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist) +Run "net share". -Possible values for this setting are: -8 - Good only -1 - Good and unknown -3 - Good, unknown and bad but critical -7 - All (which includes "bad" and would be a finding) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-CC-000150 - Group Policy objects must be reprocessed even if they have not changed. - <VulnDiscussion>Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" with the option "Process even if the Group Policy objects have not changed" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Make note of the directory location of the SYSVOL share. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ +By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. -Value Name: NoGPOListChanges +If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. -Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-CC-000160 - Downloading print driver packages over HTTP must be prevented. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +The default permissions noted below meet this requirement. -This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Open "Command Prompt". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ +Run "icacls c:\Windows\SYSVOL". -Value Name: DisableWebPnPDownload +The following results should be displayed: -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-CC-000170 - Printing over HTTP must be prevented. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +NT AUTHORITY\Authenticated Users:(RX) +NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) +BUILTIN\Server Operators:(RX) +BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) +BUILTIN\Administrators:(M,WDAC,WO) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(F) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M,WDAC,WO) +CREATOR OWNER:(OI)(CI)(IO)(F) -This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +(RX) - Read & execute -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ +Run "icacls /help" to view definitions of other permission codes. -Value Name: DisableHTTPPrinting +Alternately, open "File Explorer". -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-CC-000180 - The network selection user interface (UI) must not be displayed on the logon screen. - <VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled". - - - - Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. +Navigate to \Windows\SYSVOL (or the directory noted previously if different). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ +Right-click the directory and select properties. -Value Name: DontDisplayNetworkSelectionUI +Select the "Security" tab and click "Advanced". -Value Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-CC-000210 - Users must be prompted to authenticate when the system wakes from sleep (on battery). - <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Default permissions: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ +C:\Windows\SYSVOL +Type - "Allow" for all +Inherited from - "None" for all -Value Name: DCSettingIndex +Principal - Access - Applies to -Type: REG_DWORD -Value: 0x00000001 (1) +Authenticated Users - Read & execute - This folder, subfolder, and files +Server Operators - Read & execute- This folder, subfolder, and files +Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) +CREATOR OWNER - Full control - Subfolders and files only +Administrators - Full control - Subfolders and files only +SYSTEM - Full control - This folder, subfolders, and files - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-CC-000220 - Users must be prompted to authenticate when the system wakes from sleep (plugged in). - <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000090 + Active Directory Group Policy objects must have proper access control permissions. + <VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. + +For Active Directory (AD), the Group Policy objects require special attention. In a distributed administration model (i.e., help desk), Group Policy objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88025 + V-73373 + CCI-002235 + Maintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ +Authenticated Users - Read, Apply group policy, Special permissions -Value Name: ACSettingIndex +The special permissions for Authenticated Users are for Read-type Properties. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-CC-000240 - The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +CREATOR OWNER - Special permissions +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions -This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Document any other access permissions that allow the objects to be updated with the ISSO. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects. + + + + This applies to domain controllers. It is NA for other systems. -Value Name: DisableInventory +Review the permissions on Group Policy objects. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000368-GPOS-00154 - <GroupDescription></GroupDescription> - - WN16-CC-000250 - AutoPlay must be turned off for non-volume devices. - <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001764 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Open "Group Policy Management" (available from various menus or run "gpmc.msc"). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). -Value Name: NoAutoplayfornonVolume +For each Group Policy object: -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000368-GPOS-00154 - <GroupDescription></GroupDescription> - - WN16-CC-000260 - The default AutoRun behavior must be configured to prevent AutoRun commands. - <VulnDiscussion>Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001764 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Select the Group Policy object item in the left pane. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ +Select the "Delegation" tab in the right pane. -Value Name: NoAutorun +Select the "Advanced" button. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000368-GPOS-00154 - <GroupDescription></GroupDescription> - - WN16-CC-000270 - AutoPlay must be disabled for all drives. - <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001764 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Select each Group or user name. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ +View the permissions. -Value Name: NoDriveTypeAutoRun +If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. -Type: REG_DWORD -Value: 0x000000ff (255) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-CC-000290 - Windows Telemetry must be configured to Security or Basic. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds>> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ +The default permissions noted below satisfy this requirement. -Value Name: AllowTelemetry +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. -Type: REG_DWORD -Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic) - - - - - SRG-OS-000341-GPOS-00132 - <GroupDescription></GroupDescription> - - WN16-CC-000300 - The Application event log size must be configured to 32768 KB or greater. - <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001849 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. - - - - If the system is configured to write events directly to an audit server, this is NA. +Authenticated Users - Read, Apply group policy, Special permissions -If the following registry value does not exist or is not configured as specified, this is a finding. +The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ +The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. -Value Name: MaxSize +CREATOR OWNER - Special permissions +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater) +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects. - - SRG-OS-000341-GPOS-00132 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-CC-000310 - The Security event log size must be configured to 196608 KB or greater. - <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000100 + The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. + <VulnDiscussion>When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + +The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain. Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001849 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater. - - - - If the system is configured to write events directly to an audit server, this is NA. + SV-88027 + V-73375 + CCI-002235 + Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. -If the following registry value does not exist or is not configured as specified, this is a finding. +The default permissions listed below satisfy this requirement. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. -Value Name: MaxSize +CREATOR OWNER - Special permissions -Type: REG_DWORD -Value: 0x00030000 (196608) (or greater) - - - - - SRG-OS-000341-GPOS-00132 - <GroupDescription></GroupDescription> - - WN16-CC-000320 - The System event log size must be configured to 32768 KB or greater. - <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001849 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. - - - - If the system is configured to write events directly to an audit server, this is NA. +SELF - Special permissions -If the following registry value does not exist or is not configured as specified, this is a finding. +Authenticated Users - Read, Special permissions -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ +The special permissions for Authenticated Users are Read types. -Value Name: MaxSize +SYSTEM - Full Control -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-CC-000330 - Windows Server 2016 Windows SmartScreen must be enabled. - <VulnDiscussion>Windows SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen will warn users of potentially malicious programs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled". - - - - This is applicable to unclassified systems; for other systems, this is NA. +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions -If the following registry value does not exist or is not configured as specified, this is a finding. +Enterprise Admins - Full Control -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ +Key Admins - Special permissions -Value Name: EnableSmartScreen +Enterprise Key Admins - Special permissions -Value Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000433-GPOS-00192 - <GroupDescription></GroupDescription> - - WN16-CC-000340 - Explorer Data Execution Prevention must be enabled. - <VulnDiscussion>Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-002824 - The default behavior is for data execution prevention to be turned on for File Explorer. +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled". - - - - The default behavior is for Data Execution Prevention to be turned on for File Explorer. +Pre-Windows 2000 Compatible Access - Special permissions -If the registry value name below does not exist, this is not a finding. +The special permissions for Pre-Windows 2000 Compatible Access are Read types. -If it exists and is configured with a value of "0", this is not a finding. +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + + + + This applies to domain controllers. It is NA for other systems. -If it exists and is configured with a value of "1", this is a finding. +Review the permissions on the Domain Controllers OU. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). -Value Name: NoDataExecutionPrevention +Select "Advanced Features" in the "View" menu if not previously selected. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-CC-000350 - Turning off File Explorer heap termination on corruption must be disabled. - <VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - The default behavior is for File Explorer heap termination on corruption to be disabled. +Select the "Domain Controllers" OU (folder in folder icon). -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled". - - - - The default behavior is for File Explorer heap termination on corruption to be enabled. +Right-click and select "Properties". -If the registry Value Name below does not exist, this is not a finding. +Select the "Security" tab. -If it exists and is configured with a value of "0", this is not a finding. +If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. -If it exists and is configured with a value of "1", this is a finding. +The default permissions listed below satisfy this requirement. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. -Value Name: NoHeapTerminationOnCorruption +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. + +Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. + +CREATOR OWNER - Special permissions + +SELF - Special permissions + +Authenticated Users - Read, Special permissions + +The special permissions for Authenticated Users are Read types. + +If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The Special permissions for Pre-Windows 2000 Compatible Access are Read types. + +If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + + + + + SRG-OS-000324-GPOS-00125 + <GroupDescription></GroupDescription> + + WN16-DC-000110 + Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions. + <VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + +For Active Directory, the OU objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88029 + V-73377 + CCI-002235 + Maintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. + +Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. + +CREATOR OWNER - Special permissions + +Self - Special permissions + +Authenticated Users - Read, Special permissions + +The special permissions for Authenticated Users are Read type. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The special permissions for Pre-Windows 2000 Compatible Access are for Read types. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + + + + This applies to domain controllers. It is NA for other systems. + +Review the permissions on domain-defined OUs. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: + +Right-click the OU and select "Properties". + +Select the "Security" tab. + +If the permissions on the OU are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. + +Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. + +CREATOR OWNER - Special permissions + +Self - Special permissions + +Authenticated Users - Read, Special permissions + +The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. + +If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). + +If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> + + WN16-DC-000120 + Data files owned by users must be on a different logical partition from the directory server data files. + <VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + +The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73379 + SV-88031 + CCI-001090 + Move shares used to store files owned by users to a different logical partition than the directory server data files. + + + + This applies to domain controllers. It is NA for other systems. + +Run "Regedit". + +Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". + +Note the directory locations in the values for "DSA Database file". + +Open "Command Prompt". + +Enter "net share". + +Note the logical drive(s) or file system partition for any organization-created data shares. + +Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. + +If user shares are located on the same logical partition as the directory server data files, this is a finding. + + + + + SRG-OS-000095-GPOS-00049 + <GroupDescription></GroupDescription> + + WN16-DC-000130 + Domain controllers must run on a machine dedicated to that function. + <VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. + +Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73381 + SV-88033 + CCI-000381 + Remove additional roles or applications such as web, database, and email from the domain controller. + + + + This applies to domain controllers, It is NA for other systems. + +Review the installed roles the domain controller is supporting. + +Start "Server Manager". + +Select "AD DS" in the left pane and the server name under "Servers" to the right. + +Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.) + +Determine if any additional server roles are installed. A basic domain controller setup will include the following: + +- Active Directory Domain Services +- DNS Server +- File and Storage Services + +If any roles not requiring installation on a domain controller are installed, this is a finding. + +A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. + +Run "Programs and Features". + +Review installed applications. + +If any applications are installed that are not required for the domain controller, this is a finding. + + + + + SRG-OS-000396-GPOS-00176 + <GroupDescription></GroupDescription> + + WN16-DC-000140 + Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. + <VulnDiscussion>Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88035 + V-73383 + CCI-002450 + Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data. + + + + This applies to domain controllers. It is NA for other systems. + +Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. + +Determine the classification level of the Windows domain controller. + +If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. + +If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN16-DC-000150 + Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. + <VulnDiscussion>To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88037 + V-73385 + CCI-000366 + Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. + +For AD, there are multiple configuration items that could enable anonymous access. + +Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). + +The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG. + + + + This applies to domain controllers. It is NA for other systems. + +Open "Command Prompt" (not elevated). + +Run "ldp.exe". + +From the "Connection menu", select "Bind". + +Clear the User, Password, and Domain fields. + +Select "Simple bind" for the Bind type and click "OK". + +Confirmation of anonymous access will be displayed at the end: + +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + +From the "Browse" menu, select "Search". + +In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. + +Clear the Attributes field and select "Run". + +Error messages should display related to Bind and user not authenticated. + +If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. + +The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. + +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. + +Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address. + + + + + SRG-OS-000163-GPOS-00072 + <GroupDescription></GroupDescription> + + WN16-DC-000160 + The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. + <VulnDiscussion>The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88039 + V-73387 + CCI-001133 + Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. + +Open an elevated "Command prompt" (run as administrator). + +Enter "ntdsutil". + +At the "ntdsutil:" prompt, enter "LDAP policies". + +At the "ldap policy:" prompt, enter "connections". + +At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). + +At the "server connections:" prompt, enter "q". + +At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". + +Enter "Commit Changes" to save. + +Enter "Show values" to verify changes. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. + + + + This applies to domain controllers. It is NA for other systems. + +Open an elevated "Command Prompt" (run as administrator). + +Enter "ntdsutil". + +At the "ntdsutil:" prompt, enter "LDAP policies". + +At the "ldap policy:" prompt, enter "connections". + +At the "server connections:" prompt, enter "connect to server [host-name]" +(where [host-name] is the computer name of the domain controller). + +At the "server connections:" prompt, enter "q". + +At the "ldap policy:" prompt, enter "show values". + +If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. + +Alternately, Dsquery can be used to display MaxConnIdleTime: + +Open "Command Prompt (Admin)". +Enter the following command (on a single line). + +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits + +The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). + +If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding. + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-DC-000170 + Active Directory Group Policy objects must be configured with proper audit settings. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73389 + SV-88041 + CCI-000172 + CCI-002234 + Configure the audit settings for Group Policy objects to include the following. + +This can be done at the Policy level in Active Directory to apply to all group policies. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Select "Advanced Features" from the "View" Menu. + +Navigate to [Domain] >> System >> Policies in the left panel. + +Right click "Policies", select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button. + +Select the "Auditing" tab. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit Objects + + + + This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for all Group Policy objects. + +Open "Group Policy Management" (available from various menus or run "gpmc.msc"). + +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). + +For each Group Policy object: + +Select the Group Policy object item in the left pane. + +Select the "Delegation" tab in the right pane. + +Select the "Advanced" button. + +Select the "Advanced" button again and then the "Auditing" tab. + +If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit Objects + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-DC-000180 + The Active Directory Domain object must be configured with proper audit settings. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73391 + SV-88043 + CCI-002234 + CCI-000172 + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the domain name and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for Domain object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.) + + + + This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the Domain object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the domain name and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner) + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN16-DC-000190 + The Active Directory Infrastructure object must be configured with proper audit settings. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + V-73393 + SV-88045 + CCI-000172 + CCI-002234 + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +Select the domain being reviewed in the left pane. + +Right-click the "Infrastructure" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for Infrastructure object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) + + + + This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for Infrastructure object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the "Infrastructure" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000360 - File Explorer shell protocol must run in protected mode. - <VulnDiscussion>The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000200 + The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - The default behavior is for shell protected mode to be turned on for File Explorer. + SV-88047 + V-73395 + CCI-002234 + CCI-000172 + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled". - - - - The default behavior is for shell protected mode to be turned on for File Explorer. +Ensure "Advanced Features" is selected in the "View" menu. -If the registry value name below does not exist, this is not a finding. +Select the "Domain Controllers OU" under the domain being reviewed in the left pane. -If it exists and is configured with a value of "0", this is not a finding. +Right-click the "Domain Controllers OU" object and select "Properties". -If it exists and is configured with a value of "1", this is a finding. +Select the "Security" tab. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ +Select the "Advanced" button and then the "Auditing" tab. -Value Name: PreXPSP2ShellProtocolBehavior +Configure the audit settings for Domain Controllers OU object to include the following. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects + + + + This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the Domain Controller OU object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the "Domain Controllers OU" under the domain being reviewed in the left pane. + +Right-click the "Domain Controllers OU" object and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object and all descendant objects + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects - - SRG-OS-000373-GPOS-00157 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000370 - Passwords must not be saved in the Remote Desktop Client. - <VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client. + + WN16-DC-000210 + The Active Directory AdminSDHolder object must be configured with proper audit settings. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002038 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-73397 + SV-88049 + CCI-000172 + CCI-002234 + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Ensure "Advanced Features" is selected in the "View" menu. -Value Name: DisablePasswordSaving +Select "System" under the domain being reviewed in the left pane. -Type: REG_DWORD -Value: 0x00000001 (1) +Right-click the "AdminSDHolder" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for AdminSDHolder object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects + + + + This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the "AdminSDHolder" object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select "System" under the domain being reviewed in the left pane. + +Right-click the "AdminSDHolder" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the "AdminSDHolder" object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objects - - SRG-OS-000138-GPOS-00069 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000380 - Local drives must be prevented from sharing with Remote Desktop Session Hosts. - <VulnDiscussion>Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000220 + The Active Directory RID Manager$ object must be configured with proper audit settings. + <VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001090 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-73399 + SV-88051 + CCI-002234 + CCI-000172 + Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Ensure "Advanced Features" is selected in the "View" menu. -Value Name: fDisableCdm +Select "System" under the domain being reviewed in the left pane. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000373-GPOS-00157 - <GroupDescription></GroupDescription> - - WN16-CC-000390 - Remote Desktop Services must always prompt a client for passwords upon connection. - <VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server. +Right-click the "RID Manager$" object in the right pane and select "Properties". -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-002038 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Select the "Security" tab. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Select the "Advanced" button and then the "Auditing" tab. -Value Name: fPromptForPassword +Configure the audit settings for RID Manager$ object to include the following. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - WN16-CC-000400 - The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications. - <VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001453 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. -Value Name: fEncryptRPCTraffic +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000250-GPOS-00093 - <GroupDescription></GroupDescription> - - WN16-CC-000410 - Remote Desktop Services must be configured with the client connection encryption set to High Level. - <VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-001453 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Two instances with the following summary information will be listed. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) + + + + This applies to domain controllers. It is NA for other systems. -Value Name: MinEncryptionLevel +Review the auditing configuration for the "RID Manager$" object. -Type: REG_DWORD -Value: 0x00000003 (3) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-CC-000420 - Attachments must be prevented from being downloaded from RSS feeds. - <VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ +Ensure "Advanced Features" is selected in the "View" menu. -Value Name: DisableEnclosureDownload +Select "System" under the domain being reviewed in the left pane. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-CC-000430 - Basic authentication for RSS feeds over HTTP must not be used. - <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. +Right-click the "RID Manager$" object in the right pane and select "Properties". -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled". - - - - The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. +Select the "Security" tab. -If the registry value name below does not exist, this is not a finding. +Select the "Advanced" button and then the "Auditing" tab. -If it exists and is configured with a value of "0", this is not a finding. +If the audit settings on the "RID Manager$" object are not at least as inclusive as those below, this is a finding. -If it exists and is configured with a value of "1", this is a finding. +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. -Value Name: AllowBasicAuthInClear +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000004-GPOS-00004 <GroupDescription></GroupDescription> - - WN16-CC-000440 - Indexing of encrypted files must be turned off. - <VulnDiscussion>Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000230 + Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Computer Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling computer accounts. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88069 + V-73417 + CCI-000172 + CCI-000018 + CCI-001403 + CCI-001404 + CCI-002130 + CCI-001405 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Value Name: AllowIndexingEncryptedStoresOrItems +Use the AuditPol tool to review the current Audit Policy configuration: -Value Type: REG_DWORD -Value: 0x00000000 (0) +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Management >> Computer Account Management - Success - - SRG-OS-000362-GPOS-00149 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000450 - Users must be prevented from changing installation options. - <VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000240 + Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Access records events related to users accessing an Active Directory object. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001812 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88087 + V-73435 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Success" selected. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Value Name: EnableUserControl +Use the AuditPol tool to review the current Audit Policy configuration: -Type: REG_DWORD -Value: 0x00000000 (0) +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Access - Success - - SRG-OS-000362-GPOS-00149 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000460 - The Windows Installer Always install with elevated privileges option must be disabled. - <VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000250 + Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Access records events related to users accessing an Active Directory object. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001812 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88089 + V-73437 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Failure" selected. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Value Name: AlwaysInstallElevated +Use the AuditPol tool to review the current Audit Policy configuration: -Type: REG_DWORD -Value: 0x00000000 (0) +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Access - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000470 - Users must be notified if a web-based program attempts to install software. - <VulnDiscussion>Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000260 + Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. + V-73439 + SV-88091 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Success" selected. + + + + This applies to domain controllers. It is NA for other systems. -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled". - - - - The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -If the registry value name below does not exist, this is not a finding. +Use the AuditPol tool to review the current Audit Policy configuration: -If it exists and is configured with a value of "0", this is not a finding. +Open an elevated "Command Prompt" (run as administrator). -If it exists and is configured with a value of "1", this is a finding. +Enter "AuditPol /get /category:*". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ +Compare the AuditPol settings with the following. -Value Name: SafeForScripting +If the system does not audit the following, this is a finding. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +DS Access >> Directory Service Changes - Success - - SRG-OS-000480-GPOS-00229 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN16-CC-000480 - Automatically signing in the last interactive user after a system-initiated restart must be disabled. - <VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000270 + Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled". - - - - Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + V-73441 + SV-88093 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Failure" selected. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. -Value Name: DisableAutomaticRestartSignOn +Use the AuditPol tool to review the current Audit Policy configuration: -Value Type: REG_DWORD -Value: 0x00000001 (1) +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Changes - Failure - - SRG-OS-000042-GPOS-00020 + + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - - WN16-CC-000490 - PowerShell script block logging must be enabled. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000280 + Domain controllers must have a PKI server certificate. + <VulnDiscussion>Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000135 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-73611 + SV-88275 + CCI-000185 + Obtain a server certificate for the domain controller. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ +Run "MMC". -Value Name: EnableScriptBlockLogging +Select "Add/Remove Snap-in" from the "File" menu. -Value Type: REG_DWORD -Value: 0x00000001 (1) +Select "Certificates" in the left pane and click the "Add >" button. + +Select "Computer Account" and click "Next". + +Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". + +Click "OK". + +Select and expand the Certificates (Local Computer) entry in the left pane. + +Select and expand the Personal entry in the left pane. + +Select the Certificates entry in the left pane. + +If no certificate for the domain controller exists in the right pane, this is a finding. - - SRG-OS-000125-GPOS-00065 + + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - - WN16-CC-000500 - The Windows Remote Management (WinRM) client must not use Basic authentication. - <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000290 + Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). + <VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000877 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-73613 + SV-88277 + CCI-000185 + Obtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ +Run "MMC". -Value Name: AllowBasic +Select "Add/Remove Snap-in" from the "File" menu. -Type: REG_DWORD -Value: 0x00000000 (0) +Select "Certificates" in the left pane and click the "Add >" button. + +Select "Computer Account" and click "Next". + +Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". + +Click "OK". + +Select and expand the Certificates (Local Computer) entry in the left pane. + +Select and expand the Personal entry in the left pane. + +Select the Certificates entry in the left pane. + +In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. + +If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. + +If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. + +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: + +The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. + +DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: + +http://iase.disa.mil/pki-pke/function_pages/tools.html - - SRG-OS-000393-GPOS-00173 + + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - - WN16-CC-000510 - The Windows Remote Management (WinRM) client must not allow unencrypted traffic. - <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. - -Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000300 + PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA). + <VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002890 - CCI-003123 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-73615 + SV-88279 + CCI-000185 + Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. + + + + This applies to domain controllers. It is NA for other systems. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ +Review user account mappings to PKI certificates. -Value Name: AllowUnencryptedTraffic +Open "Windows PowerShell". -Type: REG_DWORD -Value: 0x00000000 (0) +Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". + +Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. + +If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. + +For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). + +Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. + +NIPRNet Example: +Name - User Principal Name +User1 - 1234567890@mil + +See PKE documentation for other network domain suffixes. + +If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. - - SRG-OS-000125-GPOS-00065 + + SRG-OS-000105-GPOS-00052 <GroupDescription></GroupDescription> - - WN16-CC-000520 - The Windows Remote Management (WinRM) client must not use Digest authentication. - <VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000310 + Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. + <VulnDiscussion>Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication. + +Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000877 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-73617 + SV-88281 + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + CCI-001948 + Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ +Run "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): -Value Name: AllowDigest +Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) -Type: REG_DWORD -Value: 0x00000000 (0) +Right-click the user account and select "Properties". + +Select the "Account" tab. + +Check "Smart card is required for interactive logon" in the "Account Options" area. + + + + This applies to domain controllers. It is NA for other systems. + +Open "PowerShell". + +Enter the following: + +"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" +("DistinguishedName" may be substituted for "Name" for more detailed output.) + +If any user accounts, including administrators, are listed, this is a finding. + +Alternately: + +To view sample accounts in "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): + +Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.) + +Right-click the sample user account and select "Properties". + +Select the "Account" tab. + +If any user accounts, including administrators, do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding. - - SRG-OS-000125-GPOS-00065 + + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - - WN16-CC-000530 - The Windows Remote Management (WinRM) service must not use Basic authentication. - <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000320 + Domain controllers must require LDAP access signing. + <VulnDiscussion>Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000877 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88293 + V-73629 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: LDAP server signing requirements" to "Require signing". + + + + This applies to domain controllers. It is NA for other systems. + +If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ +Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ -Value Name: AllowBasic +Value Name: LDAPServerIntegrity -Type: REG_DWORD -Value: 0x00000000 (0) +Value Type: REG_DWORD +Value: 0x00000002 (2) - - SRG-OS-000393-GPOS-00173 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-CC-000540 - The Windows Remote Management (WinRM) service must not allow unencrypted traffic. - <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. - -Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000330 + Domain controllers must be configured to allow reset of machine account passwords. + <VulnDiscussion>Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002890 - CCI-003123 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88295 + V-73631 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled". + + + + This applies to domain controllers. It is NA for other systems. + +If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Value Name: AllowUnencryptedTraffic +Value Name: RefusePasswordChange -Type: REG_DWORD +Value Type: REG_DWORD Value: 0x00000000 (0) - - SRG-OS-000373-GPOS-00157 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-CC-000550 - The Windows Remote Management (WinRM) service must not store RunAs credentials. - <VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. + + WN16-DC-000430 + The password for the krbtgt account on a domain must be reset at least every 180 days. + <VulnDiscussion>The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not changed. If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT). -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The password must be changed twice to effectively remove the password history.Changing once, waiting for replication to complete and the amount of time equal to or greater than the maximum Kerberos ticket lifetime, and changing again reduces the risk of issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002038 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. + V-91779 + SV-101881 + CCI-000366 + Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ +PowerShell scripts are available to accomplish this such as at the following link: +https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 -Value Name: DisableRunAs +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). -Type: REG_DWORD -Value: 0x00000001 (1) +Select "Advanced Features" in the "View" menu if not previously selected. + +Select the "Users" node. + +Right click on the krbtgt account and select "Reset password". + +Enter a password that meets password complexity requirements. + +Clear the "User must change password at next logon" check box. + +The system will automatically change this to a system generated complex password. + + + + This requirement is applicable to domain controllers; it is NA for other systems. + +Open "Windows PowerShell". + +Enter "Get-ADUser krbtgt -Property PasswordLastSet". + +If the "PasswordLastSet" date is more than 180 days old, this is a finding. - + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - + WN16-PK-000010 The DoD Root CA certificates must be installed in the Trusted Root Store. <VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000185 - CCI-002470 - Install the DoD Root CA certificates: + SV-88269 + V-73605 + CCI-002470 + CCI-000185 + Install the DoD Root CA certificates: DoD Root CA 2 DoD Root CA 3 DoD Root CA 4 DoD Root CA 5 -The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. - - - +The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. + + + The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. Open "Windows PowerShell" as an administrator. @@ -9273,9 +10227,7 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 @@ -9319,8 +10271,6 @@ Scroll to the bottom and select "Thumbprint". If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - DoD Root CA 2 Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 Valid to: Wednesday, December 5, 2029 @@ -9339,34 +10289,37 @@ Valid to: Friday, June 14, 2041 - + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - + WN16-PK-000020 The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000185 - CCI-002470 - Install the DoD Interoperability Root CA cross-certificates on unclassified systems. + SV-88271 + V-73607 + CCI-000185 + CCI-002470 + Install the DoD Interoperability Root CA cross-certificates on unclassified systems. Issued To - Issued By - Thumbprint -DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F +DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 -The certificates can be installed using the InstallRoot tool. The tool and user guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. - - - + +The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. + + + Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. Run "PowerShell" as an administrator. @@ -9375,19 +10328,17 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. - -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -NotAfter: 9/6/2019 +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 -NotAfter: 1/22/2022 +NotAfter: 1/22/2022 7:22:56 AM + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +NotAfter: 8/26/2022 6:25:51 AM Alternately use the Certificates MMC snap-in: @@ -9405,7 +10356,7 @@ Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". -For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": Right-click on the certificate and select "Open". @@ -9417,45 +10368,48 @@ If the certificates below are not listed or the value for the "Thumbprint" field If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. -Issued To: DoD Root CA 2 -Issued By: DoD Interoperability Root CA 1 -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -Valid to: Friday, September 6, 2019 - -Issued To: DoD Root CA 3 -Issued By: DoD Interoperability Root CA 2 +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 -Valid to: Saturday, January 22, 2022 +Valid to: Saturday, January 22, 2022 + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +Valid to: Friday, August 26, 2022 + - + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - + WN16-PK-000030 The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000185 - CCI-002470 - Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. + V-73609 + SV-88273 + CCI-002470 + CCI-000185 + Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. Issued To - Issued By - Thumbprint -DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E +DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 -The certificates can be installed using the InstallRoot tool. The tool and user guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. - - - +The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. + + + Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. Run "PowerShell" as an administrator. @@ -9464,14 +10418,12 @@ Execute the following command: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is finding. - -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -NotAfter: 9/27/2019 +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +NotAfter: 8/26/2022 Alternately use the Certificates MMC snap-in: @@ -9489,7 +10441,7 @@ Click "OK". Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". -For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": Right-click on the certificate and select "Open". @@ -9499,375 +10451,108 @@ Scroll to the bottom and select "Thumbprint". If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. - -Issued To: DoD Root CA 3 -Issuer by: US DoD CCEB Interoperability Root CA 2 -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -Valid: Friday, September 27, 2019 - - - - - SRG-OS-000066-GPOS-00034 - <GroupDescription></GroupDescription> - - WN16-DC-000280 - Domain controllers must have a PKI server certificate. - <VulnDiscussion>Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000185 - Obtain a server certificate for the domain controller. - - - - This applies to domain controllers. It is NA for other systems. - -Run "MMC". - -Select "Add/Remove Snap-in" from the "File" menu. - -Select "Certificates" in the left pane and click the "Add >" button. - -Select "Computer Account" and click "Next". - -Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". - -Click "OK". - -Select and expand the Certificates (Local Computer) entry in the left pane. - -Select and expand the Personal entry in the left pane. - -Select the Certificates entry in the left pane. - -If no certificate for the domain controller exists in the right pane, this is a finding. - - - - - SRG-OS-000066-GPOS-00034 - <GroupDescription></GroupDescription> - - WN16-DC-000290 - Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). - <VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000185 - Obtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA. - - - - This applies to domain controllers. It is NA for other systems. - -Run "MMC". - -Select "Add/Remove Snap-in" from the "File" menu. - -Select "Certificates" in the left pane and click the "Add >" button. - -Select "Computer Account" and click "Next". - -Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". - -Click "OK". - -Select and expand the Certificates (Local Computer) entry in the left pane. - -Select and expand the Personal entry in the left pane. - -Select the Certificates entry in the left pane. - -In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. - -If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. - -If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. - -There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: - -The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. - -DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: - -http://iase.disa.mil/pki-pke/function_pages/tools.html - - - - - SRG-OS-000066-GPOS-00034 - <GroupDescription></GroupDescription> - - WN16-DC-000300 - PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA). - <VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000185 - Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details. - - - - This applies to domain controllers. It is NA for other systems. - -Review user account mappings to PKI certificates. - -Open "Windows PowerShell". - -Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". - -Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. - -If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. - -For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). - -Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. - -NIPRNet Example: -Name - User Principal Name -User1 - 1234567890@mil - -See PKE documentation for other network domain suffixes. - -If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding. - - - - - SRG-OS-000105-GPOS-00052 - <GroupDescription></GroupDescription> - - WN16-DC-000310 - Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. - <VulnDiscussion>Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication. - -Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000765 - CCI-000766 - CCI-000767 - CCI-000768 - CCI-001948 - Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". - -Run "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): - -Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) - -Right-click the user account and select "Properties". - -Select the "Account" tab. - -Check "Smart card is required for interactive logon" in the "Account Options" area. - - - - This applies to domain controllers. It is NA for other systems. - -Open "PowerShell". - -Enter the following: - -"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" -("DistinguishedName" may be substituted for "Name" for more detailed output.) - -If any user accounts, including administrators, are listed, this is a finding. - -Alternately: - -To view sample accounts in "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): - -Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.) - -Right-click the sample user account and select "Properties". - -Select the "Account" tab. - -If any user accounts, including administrators, do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding. +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +Valid: Friday, August 26, 2022 + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000020 Local accounts with blank passwords must be restricted to prevent access from the network. <VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: LimitBlankPasswordUse - -Value Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000062-GPOS-00031 - <GroupDescription></GroupDescription> - - WN16-SO-000050 - Audit policy using subcategories must be enabled. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000169 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ - -Value Name: SCENoApplyLegacyAuditPolicy - -Value Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000423-GPOS-00187 - <GroupDescription></GroupDescription> - - WN16-DC-000320 - Domain controllers must require LDAP access signing. - <VulnDiscussion>Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA - DPMS Target - Windows 2016 - 3157 - - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: LDAP server signing requirements" to "Require signing". - - - - This applies to domain controllers. It is NA for other systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. + DPMS Target + Windows Server 2016 + 4205 + + SV-88285 + V-73621 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: LDAPServerIntegrity +Value Name: LimitBlankPasswordUse Value Type: REG_DWORD -Value: 0x00000002 (2) +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000062-GPOS-00031 <GroupDescription></GroupDescription> - - WN16-DC-000330 - Domain controllers must be configured to allow reset of machine account passwords. - <VulnDiscussion>Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-SO-000050 + Audit policy using subcategories must be enabled. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled". - - - - This applies to domain controllers. It is NA for other systems. - -If the following registry value does not exist or is not configured as specified, this is a finding. + SV-88291 + V-73627 + CCI-000169 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: RefusePasswordChange +Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD -Value: 0x00000000 (0) +Value: 0x00000001 (1) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000080 The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled". - - - + SV-88297 + V-73633 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal @@ -9877,28 +10562,30 @@ Value: 0x00000001 (1) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000090 The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled". - - - + SV-88299 + V-73635 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -9911,28 +10598,30 @@ Value: 0x00000001 (1) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000100 The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled". - - - + SV-88301 + V-73637 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -9945,28 +10634,30 @@ Value: 0x00000001 (1) - + SRG-OS-000379-GPOS-00164 <GroupDescription></GroupDescription> - + WN16-SO-000110 The computer account password must not be prevented from being reset. <VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001967 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled". - - - + V-73639 + SV-88303 + CCI-001967 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: DisablePasswordChange @@ -9976,32 +10667,34 @@ Value: 0x00000000 (0) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000120 The maximum age for machine account passwords must be configured to 30 days or less. <VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - This is the default configuration for this setting (30 days). + SV-88305 + V-73641 + CCI-000366 + This is the default configuration for this setting (30 days). Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding "0", which is unacceptable). - - - + + + This is the default configuration for this setting (30 days). If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: MaximumPasswordAge @@ -10011,64 +10704,68 @@ Value: 0x0000001e (30) (or less, but not 0) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000130 Windows Server 2016 must be configured to require a strong session key. <VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled". - - - + SV-88307 + V-73643 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 0x00000001 (1) - + This setting may prevent a system from being joined to a domain if not configured consistently between systems. - + SRG-OS-000029-GPOS-00010 <GroupDescription></GroupDescription> - + WN16-SO-000140 The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. <VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000057 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled. - - - + V-73645 + SV-88309 + CCI-000057 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled. + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: InactivityTimeoutSecs @@ -10078,30 +10775,32 @@ Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled) - + SRG-OS-000023-GPOS-00006 <GroupDescription></GroupDescription> - + WN16-SO-000150 The required legal notice must be configured to display before console logon. <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000048 - CCI-000050 - CCI-001384 - CCI-001385 - CCI-001386 - CCI-001387 - CCI-001388 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: + V-73647 + SV-88311 + CCI-000050 + CCI-000048 + CCI-001384 + CCI-001387 + CCI-001388 + CCI-001385 + CCI-001386 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. @@ -10116,12 +10815,12 @@ By using this IS (which includes any device attached to this IS), you consent to -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. - - - + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText @@ -10145,37 +10844,39 @@ By using this IS (which includes any device attached to this IS), you consent to - + SRG-OS-000023-GPOS-00006 <GroupDescription></GroupDescription> - + WN16-SO-000160 The Windows dialog box title for the legal banner must be configured with the appropriate text. <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000048 - CCI-001384 - CCI-001385 - CCI-001386 - CCI-001387 - CCI-001388 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. + V-73649 + SV-88313 + CCI-000048 + CCI-001386 + CCI-001387 + CCI-001388 + CCI-001384 + CCI-001385 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN16-SO-000150. - - - + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeCaption @@ -10183,7 +10884,7 @@ Value Name: LegalNoticeCaption Value Type: REG_SZ Value: See message title options below -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN16-SO-000150. @@ -10191,31 +10892,68 @@ Automated tools may only search for the titles defined above. If an organization - + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN16-SO-000180 + The Smart Card removal option must be configured to Force Logoff or Lock Workstation. + <VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Windows Server 2016 + DISA + DPMS Target + Windows Server 2016 + 4205 + + SV-88473 + V-73807 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff". + + + + If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: scremoveoption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. + + + + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000190 The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled". - - - + SV-88317 + V-73653 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature @@ -10225,31 +10963,33 @@ Value: 0x00000001 (1) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000200 The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled". - - - + SV-88319 + V-73655 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature @@ -10259,25 +10999,27 @@ Value: 0x00000001 (1) - + SRG-OS-000074-GPOS-00042 <GroupDescription></GroupDescription> - + WN16-SO-000210 Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. <VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000197 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled". - - - + SV-88321 + V-73657 + CCI-000197 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10290,31 +11032,33 @@ Value: 0x00000000 (0) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000230 The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled". - - - + V-73661 + SV-88325 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature @@ -10324,31 +11068,33 @@ Value: 0x00000001 (1) - + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - + WN16-SO-000240 The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled". - - - + V-73663 + SV-88327 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature @@ -10358,28 +11104,30 @@ Value: 0x00000001 (1) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000260 Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed. <VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled". - - - + V-73667 + SV-88331 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymousSAM @@ -10389,28 +11137,30 @@ Value: 0x00000001 (1) - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + WN16-SO-000270 Anonymous enumeration of shares must not be allowed. <VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001090 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled". - - - + SV-88333 + V-73669 + CCI-001090 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: RestrictAnonymous @@ -10420,28 +11170,30 @@ Value: 0x00000001 (1) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000290 Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group. <VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let everyone permissions apply to anonymous users" to "Disabled". - - - + SV-88337 + V-73673 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let everyone permissions apply to anonymous users" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous @@ -10451,28 +11203,30 @@ Value: 0x00000000 (0) - + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - + WN16-SO-000300 Anonymous access to Named Pipes and Shares must be restricted. <VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001090 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled". - - - + SV-88339 + V-73675 + CCI-001090 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RestrictNullSessAccess @@ -10482,25 +11236,27 @@ Value: 0x00000001 (1) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000320 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. <VulnDiscussion>Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled". - - - + SV-88343 + V-73679 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10513,25 +11269,27 @@ Value: 0x00000001 (1) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000330 NTLM must be prevented from falling back to a Null session. <VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled". - - - + SV-88345 + V-73681 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10544,25 +11302,27 @@ Value: 0x00000000 (0) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000340 PKU2U authentication using online identities must be prevented. <VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled". - - - + SV-88347 + V-73683 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10575,33 +11335,35 @@ Value: 0x00000000 (0) - + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - + WN16-SO-000350 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. <VulnDiscussion>Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000803 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: + V-73685 + SV-88349 + CCI-000803 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: AES128_HMAC_SHA1 AES256_HMAC_SHA1 -Future encryption types +Future encryption types Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship. - - - + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10614,28 +11376,30 @@ Value: 0x7ffffff8 (2147483640) - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - + WN16-SO-000360 Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords. <VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000196 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled". - - - + SV-88351 + V-73687 + CCI-000196 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ Value Name: NoLMHash @@ -10645,25 +11409,27 @@ Value: 0x00000001 (1) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000380 The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM. <VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM". - - - + SV-88355 + V-73691 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10676,28 +11442,30 @@ Value: 0x00000005 (5) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000390 Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing. <VulnDiscussion>This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum. - - - + SV-88357 + V-73693 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum. + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity @@ -10707,28 +11475,30 @@ Value: 0x00000001 (1) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000400 Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. <VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). - - - + SV-88359 + V-73695 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec @@ -10738,28 +11508,30 @@ Value: 0x20080000 (537395200) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000410 Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. <VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). - - - + SV-88361 + V-73697 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec @@ -10769,10 +11541,10 @@ Value: 0x20080000 (537395200) - + SRG-OS-000067-GPOS-00035 <GroupDescription></GroupDescription> - + WN16-SO-000420 Users must be required to enter a password to access private keys stored on the computer. <VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. @@ -10783,17 +11555,19 @@ If the private key is stolen, this will lead to the compromise of the authentica Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000186 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key". - - - + V-73699 + SV-88363 + CCI-000186 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10806,28 +11580,30 @@ Value: 0x00000002 (2) - + SRG-OS-000033-GPOS-00014 <GroupDescription></GroupDescription> - + WN16-SO-000430 Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. <VulnDiscussion>This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000068 - CCI-002450 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled". - - - + SV-88365 + V-73701 + CCI-000068 + CCI-002450 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE @@ -10837,33 +11613,35 @@ Value Name: Enabled Value Type: REG_DWORD Value: 0x00000001 (1) - + Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN16-SO-000450 The default permissions of global system objects must be strengthened. <VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)" to "Enabled". - - - + V-73705 + SV-88369 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ Value Name: ProtectionMode @@ -10873,32 +11651,34 @@ Value: 0x00000001 (1) - + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - + WN16-SO-000460 User Account Control approval mode for the built-in Administrator must be enabled. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002038 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled". - - - + SV-88371 + V-73707 + CCI-002038 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken @@ -10908,30 +11688,32 @@ Value: 0x00000001 (1) - + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - + WN16-SO-000470 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled". - - - + SV-88373 + V-73709 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableUIADesktopToggle @@ -10941,27 +11723,29 @@ Value: 0x00000000 (0) - + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - + WN16-SO-000480 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". + SV-88375 + V-73711 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable. - - - + + + UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. @@ -10977,32 +11761,34 @@ Value: 0x00000002 (2) (Prompt for consent on the secure desktop) - + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - + WN16-SO-000490 User Account Control must automatically deny standard user requests for elevation. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002038 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests". - - - + V-73713 + SV-88377 + CCI-002038 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser @@ -11012,30 +11798,32 @@ Value: 0x00000000 (0) - + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - + WN16-SO-000500 User Account Control must be configured to detect application installations and prompt for elevation. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled". - - - + V-73715 + SV-88379 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection @@ -11045,30 +11833,32 @@ Value: 0x00000001 (1) - + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - + WN16-SO-000510 User Account Control must only elevate UIAccess applications that are installed in secure locations. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled". - - - + V-73717 + SV-88381 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths @@ -11078,32 +11868,34 @@ Value: 0x00000001 (1) - + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - + WN16-SO-000520 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002038 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled". - - - + V-73719 + SV-88383 + CCI-002038 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA @@ -11113,30 +11905,32 @@ Value: 0x00000001 (1) - + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - + WN16-SO-000530 User Account Control must virtualize file and registry write failures to per-user locations. <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled". - - - + SV-88385 + V-73721 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled". + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. If the following registry value does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization @@ -11145,352 +11939,106 @@ Value Type: REG_DWORD Value: 0x00000001 (1) - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-UC-000030 - Zone information must be preserved when saving attachments. - <VulnDiscussion>Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - The default behavior is for Windows to mark file attachments with their zone information. - -If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled". - - - - The default behavior is for Windows to mark file attachments with their zone information. - -If the registry Value Name below does not exist, this is not a finding. - -If it exists and is configured with a value of "2", this is not a finding. - -If it exists and is configured with a value of "1", this is a finding. - -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ - -Value Name: SaveZoneInformation - -Value Type: REG_DWORD -Value: 0x00000002 (2) (or if the Value Name does not exist) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-SO-000180 - The Smart Card removal option must be configured to Force Logoff or Lock Workstation. - <VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff". - - - - If the following registry value does not exist or is not configured as specified, this is a finding. - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: scremoveoption - -Value Type: REG_SZ -Value: 1 (Lock Workstation) or 2 (Force Logoff) - -If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-00-000411 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. - <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". - -The system must be restarted for the change to take effect. - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ - -Value Name: SMB1 - -Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN16-00-000412 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. - <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". - -The system must be restarted for the changes to take effect. - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. - -If the following registry value is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ - -Value Name: Start - -Type: REG_DWORD -Value: 0x00000004 (4) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-00-000470 - Secure Boot must be enabled on Windows Server 2016 systems. - <VulnDiscussion>Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows Server 2016, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Enable Secure Boot in the system firmware. - - - - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. - -Run "System Information". - -Under "System Summary", if "Secure Boot State" does not display "On", this is finding. - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-00-000480 - Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. - <VulnDiscussion>UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows Server 2016, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in "Legacy BIOS" mode will not support these security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000366 - Configure UEFI firmware to run in "UEFI" mode, not "Legacy BIOS" mode. - - - - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must run in "UEFI" mode. - -Verify the system firmware is configured to run in "UEFI" mode, not "Legacy BIOS". - -Run "System Information". - -Under "System Summary", if "BIOS Mode" does not display "UEFI", this is finding. - - - - - SRG-OS-000470-GPOS-00214 - <GroupDescription></GroupDescription> - - WN16-AU-000285 - Windows 2016 must be configured to audit Object Access - Other Object Access Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as Administrator"). - -Enter "AuditPol /get /category:*" - -Compare the "AuditPol" settings with the following: - -If the system does not audit the following, this is a finding. - -Object Access >> Other Object Access Events - Success - - - - - SRG-OS-000470-GPOS-00214 - <GroupDescription></GroupDescription> - - WN16-AU-000286 - Windows 2016 must be configured to audit Object Access - Other Object Access Events failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN16-UC-000030 + Zone information must be preserved when saving attachments. + <VulnDiscussion>Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + SV-88391 + V-73727 + CCI-000366 + The default behavior is for Windows to mark file attachments with their zone information. -Use the "AuditPol" tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled". + + + + The default behavior is for Windows to mark file attachments with their zone information. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as Administrator"). +If the registry Value Name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*" +If it exists and is configured with a value of "2", this is not a finding. -Compare the "AuditPol" settings with the following: +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ -Object Access >> Other Object Access Events - Failure +Value Name: SaveZoneInformation + +Value Type: REG_DWORD +Value: 0x00000002 (2) (or if the Value Name does not exist) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-DC-000430 - The password for the krbtgt account on a domain must be reset at least every 180 days. - <VulnDiscussion>The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not changed. If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT). - -The password must be changed twice to effectively remove the password history.Changing once, waiting for replication to complete and the amount of time equal to or greater than the maximum Kerberos ticket lifetime, and changing again reduces the risk of issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-00-000460 + Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016. + <VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. - -PowerShell scripts are available to accomplish this such as at the following link: -https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 - -Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). - -Select "Advanced Features" in the "View" menu if not previously selected. - -Select the "Users" node. - -Right click on the krbtgt account and select "Reset password". - -Enter a password that meets password complexity requirements. + SV-92833 + V-78127 + CCI-000366 + Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy. + + + + Review the effective User Rights setting in Local Group Policy Editor. -Clear the "User must change password at next logon" check box. +Run "gpedit.msc". -The system will automatically change this to a system generated complex password. - - - - This requirement is applicable to domain controllers; it is NA for other systems. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -Open "Windows PowerShell". +Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) -Enter "Get-ADUser krbtgt -Property PasswordLastSet". +If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. -If the "PasswordLastSet" date is more than 180 days old, this is a finding. + - + SRG-OS-000329-GPOS-00128 <GroupDescription></GroupDescription> - + WN16-AC-000010 Windows 2016 account lockout duration must be configured to 15 minutes or greater. <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002238 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. + SV-87961 + V-73309 + CCI-002238 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. A value of "0" is also acceptable, requiring an administrator to unlock the account. - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11503,25 +12051,27 @@ If the "Account lockout duration" is less than "15" minutes (excluding "0"), thi - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - + WN16-AC-000020 Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less. <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000044 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or fewer invalid logon attempts (excluding "0", which is unacceptable). - - - + SV-87963 + V-73311 + CCI-000044 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or fewer invalid logon attempts (excluding "0", which is unacceptable). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11534,28 +12084,30 @@ If the "Account lockout threshold" is "0" or more than "3" attempts, this is a f - + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - + WN16-AC-000030 Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000044 - CCI-002238 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes. - - - + SV-87965 + V-73313 + CCI-000044 + CCI-002238 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes. + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11568,25 +12120,27 @@ If the "Reset account lockout counter after" value is less than "15" minutes, th - + SRG-OS-000077-GPOS-00045 <GroupDescription></GroupDescription> - + WN16-AC-000040 Windows Server 2016 password history must be configured to 24 passwords remembered. <VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000200 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered. - - - + V-73315 + SV-87967 + CCI-000200 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered. + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11599,25 +12153,27 @@ If the value for "Enforce password history" is less than "24" passwords remember - + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - + WN16-AC-000050 Windows Server 2016 maximum password age must be configured to 60 days or less. <VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000199 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable). - - - + V-73317 + SV-87969 + CCI-000199 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11632,25 +12188,27 @@ If the value is set to "0" (never expires), this is a finding. - + SRG-OS-000075-GPOS-00043 <GroupDescription></GroupDescription> - + WN16-AC-000060 Windows Server 2016 minimum password age must be configured to at least one day. <VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000198 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password age" to at least "1" day. - - - + V-73319 + SV-87971 + CCI-000198 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password age" to at least "1" day. + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11663,25 +12221,27 @@ If the value for the "Minimum password age" is set to "0" days ("Password can be - + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - + WN16-AC-000070 Windows Server 2016 minimum password length must be configured to 14 characters. <VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000205 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters. - - - + SV-87973 + V-73321 + CCI-000205 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters. + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11694,30 +12254,32 @@ If the value for the "Minimum password length," is less than "14" characters, th - + SRG-OS-000069-GPOS-00037 <GroupDescription></GroupDescription> - + WN16-AC-000080 Windows Server 2016 must have the built-in Windows password complexity policy enabled. <VulnDiscussion>The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, upper- and lower-case letters, and special characters) and prevents the inclusion of user names or parts of user names. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000192 - CCI-000193 - CCI-000194 - CCI-001619 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled". - - - + SV-87975 + V-73323 + CCI-000192 + CCI-000193 + CCI-000194 + CCI-001619 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11730,25 +12292,27 @@ If the value for "Password must meet complexity requirements" is not set to "Ena - + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - + WN16-AC-000090 Windows Server 2016 reversible password encryption must be disabled. <VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000196 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". - - - + SV-87977 + V-73325 + CCI-000196 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -11761,159 +12325,204 @@ If the value for "Store passwords using reversible encryption" is not set to "Di - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-SO-000030 - Windows Server 2016 built-in administrator account must be renamed. - <VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000340 + The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and +Enterprise Domain Controllers groups on domain controllers. + <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Access this computer from the network" right may access resources on the system, and this right must be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator". - - - - Verify the effective setting in Local Group Policy Editor. + V-73731 + SV-88395 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: + +- Administrators +- Authenticated Users +- Enterprise Domain Controllers + + + + This applies to domain controllers. It is NA for other systems. + +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. +If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. + +- Administrators +- Authenticated Users +- Enterprise Domain Controllers - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-SO-000040 - Windows Server 2016 built-in guest account must be renamed. - <VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000350 + The Add workstations to domain user right must only be assigned to the Administrators group. + <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Add workstations to domain" right may add computers to a domain. This could result in unapproved or incorrectly configured systems being added to a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest". - - - - Verify the effective setting in Local Group Policy Editor. + SV-88401 + V-73737 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Add workstations to domain" to include only the following accounts or groups: + +- Administrators + + + + This applies to domain controllers. It is NA for other systems. + +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. +If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding. + +- Administrators - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-SO-000250 - Anonymous SID/Name translation must not be allowed. - <VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-DC-000360 + The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group. + <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Allow log on through Remote Desktop Services" user right can access a system through Remote Desktop.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled". - - - - Verify the effective setting in Local Group Policy Editor. + SV-88405 + V-73741 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to include only the following accounts or groups: + +- Administrators + + + + This applies to domain controllers, it is NA for other systems. +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding. + +- Administrators - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-UR-000010 - The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. + + WN16-DC-000370 + The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank). - - - - Verify the effective setting in Local Group Policy Editor. + SV-88421 + V-73757 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: + +- Guests Group + + + + This applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding. + +- Guests Group - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-DC-000340 - The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and -Enterprise Domain Controllers groups on domain controllers. + + WN16-DC-000380 + The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Access this computer from the network" right may access resources on the system, and this right must be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. + +The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: + SV-88425 + V-73761 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: -- Administrators -- Authenticated Users -- Enterprise Domain Controllers - - - - This applies to domain controllers. It is NA for other systems. +- Guests Group + + + + This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. @@ -11921,73 +12530,81 @@ Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. -- Administrators -- Authenticated Users -- Enterprise Domain Controllers +- Guests Group - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-UR-000030 - The Act as part of the operating system user right must not be assigned to any groups or accounts. + + WN16-DC-000390 + The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that the user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Deny log on as a service" user right defines accounts that are denied logon as a service. + +Incorrect configurations could prevent services from starting and result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank). - - - - Verify the effective setting in Local Group Policy Editor. + V-73765 + SV-88429 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include no entries (blank). + + + + This applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. +If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-DC-000350 - The Add workstations to domain user right must only be assigned to the Administrators group. + + WN16-DC-000400 + The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Add workstations to domain" right may add computers to a domain. This could result in unapproved or incorrectly configured systems being added to a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Add workstations to domain" to include only the following accounts or groups: + V-73769 + SV-88433 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: -- Administrators - - - - This applies to domain controllers. It is NA for other systems. +- Guests Group + + + + This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. @@ -11995,82 +12612,91 @@ Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding. +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding. -- Administrators +- Guests Group - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000297-GPOS-00115 <GroupDescription></GroupDescription> - - WN16-UR-000050 - The Allow log on locally user right must only be assigned to the Administrators group. + + WN16-DC-000410 + The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: + SV-88437 + V-73773 + CCI-002314 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: -- Administrators - - - - Verify the effective setting in Local Group Policy Editor. +- Guests Group + + + + This applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding. +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding. -- Administrators +- Guests Group - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000360 - The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group. + + WN16-DC-000420 + The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Allow log on through Remote Desktop Services" user right can access a system through Remote Desktop.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to include only the following accounts or groups: + SV-88441 + V-73777 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups: - Administrators - - - - This applies to domain controllers, it is NA for other systems. + + + + This applies to domain controllers. A separate version applies to other systems. Verify the effective setting in Local Group Policy Editor. + Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding. +If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. - Administrators @@ -12078,260 +12704,240 @@ If any accounts or groups other than the following are granted the "Allow log on - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000121-GPOS-00062 <GroupDescription></GroupDescription> - - WN16-UR-000070 - The Back up files and directories user right must only be assigned to the Administrators group. - <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-SO-000010 + Windows Server 2016 built-in guest account must be disabled. + <VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: - -- Administrators - - - + V-73809 + SV-88475 + CCI-000804 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. -- Administrators +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. - - SRG-OS-000324-GPOS-00125 - <GroupDescription></GroupDescription> - - WN16-UR-000080 - The Create a pagefile user right must only be assigned to the Administrators group. - <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN16-SO-000030 + Windows Server 2016 built-in administrator account must be renamed. + <VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: - -- Administrators - - - + SV-88287 + V-73623 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. -- Administrators +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-UR-000090 - The Create a token object user right must not be assigned to any groups or accounts. - <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-SO-000040 + Windows Server 2016 built-in guest account must be renamed. + <VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank). - - - + V-73625 + SV-88289 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups are granted the "Create a token object" user right, this is a finding. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. -If an application requires this user right, this would not be a finding. +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN16-UR-000100 - The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. - <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN16-SO-000250 + Anonymous SID/Name translation must not be allowed. + <VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: - -- Administrators -- Service -- Local Service -- Network Service - - - + V-73665 + SV-88329 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. -- Administrators -- Service -- Local Service -- Network Service +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-UR-000110 - The Create permanent shared objects user right must not be assigned to any groups or accounts. + + WN16-UR-000010 + The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank). - - - + SV-88393 + V-73729 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-UR-000120 - The Create symbolic links user right must only be assigned to the Administrators group. + + WN16-UR-000030 + The Act as part of the operating system user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Create symbolic links" user right can create pointers to other objects, which could expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that the user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to include only the following accounts or groups: - -- Administrators - -Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines". - - - + SV-88399 + V-73735 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding. - -- Administrators +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN16-UR-000130 - The Debug programs user right must only be assigned to the Administrators group. + + WN16-UR-000050 + The Allow log on locally user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: + SV-88403 + V-73739 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding. +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding. - Administrators @@ -12339,239 +12945,237 @@ If any accounts or groups other than the following are granted the "Debug progra - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000370 - The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. + + WN16-UR-000070 + The Back up files and directories user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: - -- Guests Group - - - - This applies to domain controllers. A separate version applies to other systems. + SV-88407 + V-73743 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: -Verify the effective setting in Local Group Policy Editor. +- Administrators + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding. +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding. -- Guests Group +- Administrators - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000380 - The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. + + WN16-UR-000080 + The Create a pagefile user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. - -The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: - -- Guests Group - - - - This applies to domain controllers. A separate version applies to other systems. + SV-88409 + V-73745 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: -Verify the effective setting in Local Group Policy Editor. +- Administrators + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding. -- Guests Group +- Administrators - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000390 - The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. + + WN16-UR-000100 + The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on as a service" user right defines accounts that are denied logon as a service. - -Incorrect configurations could prevent services from starting and result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include no entries (blank). - - - - This applies to domain controllers. A separate version applies to other systems. + SV-88413 + V-73749 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: -Verify the effective setting in Local Group Policy Editor. +- Administrators +- Service +- Local Service +- Network Service + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding. + +- Administrators +- Service +- Local Service +- Network Service - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000400 - The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. + + WN16-UR-000110 + The Create permanent shared objects user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: - -- Guests Group - - - - This applies to domain controllers. A separate version applies to other systems. - -Verify the effective setting in Local Group Policy Editor. + SV-88415 + V-73751 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank). + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding. - -- Guests Group +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. - - SRG-OS-000297-GPOS-00115 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000410 - The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. + + WN16-UR-000120 + The Create symbolic links user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Create symbolic links" user right can create pointers to other objects, which could expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002314 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: + SV-88417 + V-73753 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to include only the following accounts or groups: -- Guests Group - - - - This applies to domain controllers. A separate version applies to other systems. +- Administrators -Verify the effective setting in Local Group Policy Editor. +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines". + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding. +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding. -- Guests Group +- Administrators - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-DC-000420 - The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. + + WN16-UR-000130 + The Debug programs user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups: + SV-88419 + V-73755 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: - Administrators - - - - This applies to domain controllers. A separate version applies to other systems. - -Verify the effective setting in Local Group Policy Editor. + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding. - Administrators @@ -12579,29 +13183,31 @@ If any accounts or groups other than the following are granted the "Enable compu - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000200 The Force shutdown from a remote system user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system, which could result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: + SV-88445 + V-73781 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12616,30 +13222,32 @@ If any accounts or groups other than the following are granted the "Force shutdo - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000210 The Generate security audits user right must only be assigned to Local Service and Network Service. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Generate security audits" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to include only the following accounts or groups: + SV-88447 + V-73783 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to include only the following accounts or groups: - Local Service - Network Service - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12655,32 +13263,34 @@ If any accounts or groups other than the following are granted the "Generate sec - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000220 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Impersonate a client after authentication" user right allows a program to impersonate another user or account to run on their behalf. An attacker could use this to elevate privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: + V-73785 + SV-88449 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12698,29 +13308,31 @@ If any accounts or groups other than the following are granted the "Impersonate - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000230 The Increase scheduling priority user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Increase scheduling priority" user right can change a scheduling priority, causing performance issues or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to include only the following accounts or groups: + V-73787 + SV-88451 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12735,29 +13347,31 @@ If any accounts or groups other than the following are granted the "Increase sch - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000240 The Load and unload device drivers user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Load and unload device drivers" user right allows a user to load device drivers dynamically on a system. This could be used by an attacker to install malicious code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: + V-73789 + SV-88453 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12772,27 +13386,29 @@ If any accounts or groups other than the following are granted the "Load and unl - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000250 The Lock pages in memory user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank). - - - + V-73791 + SV-88455 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12805,10 +13421,10 @@ If any accounts or groups are granted the "Lock pages in memory" user right, thi - + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - + WN16-UR-000260 The Manage auditing and security log user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. @@ -12817,23 +13433,25 @@ Accounts with the "Manage auditing and security log" user right can manage the s Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000337-GPOS-00129</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000162 - CCI-000163 - CCI-000164 - CCI-000171 - CCI-001914 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: + V-73793 + SV-88457 + CCI-000162 + CCI-000163 + CCI-000171 + CCI-000164 + CCI-001914 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12848,29 +13466,31 @@ If any accounts or groups other than the following are granted the "Manage audit - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000270 The Modify firmware environment values user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Modify firmware environment values" user right can change hardware configuration environment variables. This could result in hardware failures or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to include only the following accounts or groups: + V-73795 + SV-88459 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12885,29 +13505,31 @@ If any accounts or groups other than the following are granted the "Modify firmw - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000280 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. This could be used to delete volumes, resulting in data loss or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups: + V-73797 + SV-88461 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12922,29 +13544,31 @@ If any accounts or groups other than the following are granted the "Perform volu - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN16-UR-000290 The Profile single process user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Profile single process" user right can monitor non-system processes performance. An attacker could use this to identify processes to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to include only the following accounts or groups: + SV-88463 + V-73799 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12959,73 +13583,75 @@ If any accounts or groups other than the following are granted the "Profile sing - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-UR-000300 - The Restore files and directories user right must only be assigned to the Administrators group. + + WN16-UR-000090 + The Create a token object user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to overwrite more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: - -- Administrators - - - + SV-88411 + V-73747 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding. +If any accounts or groups are granted the "Create a token object" user right, this is a finding. -- Administrators +If an application requires this user right, this would not be a finding. - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-UR-000310 - The Take ownership of files or other objects user right must only be assigned to the Administrators group. + + WN16-UR-000300 + The Restore files and directories user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to overwrite more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups: + SV-88465 + V-73801 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding. +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding. - Administrators @@ -13033,65 +13659,40 @@ If any accounts or groups other than the following are granted the "Take ownersh - - SRG-OS-000121-GPOS-000062 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN16-SO-000010 - Windows Server 2016 built-in guest account must be disabled. - <VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2016 - DISA - DPMS Target - Windows 2016 - 3157 - - CCI-000804 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled". - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + + WN16-UR-000310 + The Take ownership of files or other objects user right must only be assigned to the Administrators group. + <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN16-00-000460 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016. - <VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2016 + DPMS Target Windows Server 2016 DISA DPMS Target - Windows 2016 - 3157 + Windows Server 2016 + 4205 - CCI-000366 - Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy. - - - - Review the effective User Rights setting in Local Group Policy Editor. + SV-88467 + V-73803 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups: + +- Administrators + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding. -If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. +- Administrators diff --git a/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R10_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R10_Manual-xccdf.log deleted file mode 100644 index 6e62fb13e..000000000 --- a/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R10_Manual-xccdf.log +++ /dev/null @@ -1,9 +0,0 @@ -V-73509::Value: RequireMutualAuthentication=1, RequireIntegrity=1::Value: RequireMutualAuthentication=1,RequireIntegrity=1 -V-73521::Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist)::Value: 0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8) (or if the Value Name does not exist) -V-73591::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ -V-73551::Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)::Value: 0x00000000 (0) (Security) or 0x00000001 (1) (Basic) -V-73711::Value: 0x00000002 (2) (Prompt for consent on the secure desktop)::Value: 1 or 2 -V-73253::\Windows::C:\Windows -V-73321::"Minimum password length,"::"Minimum password length" -V-73753::- Administrators::- Administrators`r`nHyper-V -V-73755::Passwords for application accounts with this user right must be protected as highly privileged accounts.::"" diff --git a/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V2R1_Manual-xccdf.log new file mode 100644 index 000000000..d4a33a218 --- /dev/null +++ b/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V2R1_Manual-xccdf.log @@ -0,0 +1,9 @@ +V-224921::Value: RequireMutualAuthentication=1, RequireIntegrity=1::Value: RequireMutualAuthentication=1,RequireIntegrity=1 +V-224924::Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist)::Value: 0x00000001 (1) or 0x00000003 (3) or 0x00000008 (8) (or if the Value Name does not exist) +V-224957::Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ +V-224936::Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)::Value: 0x00000000 (0) (Security) or 0x00000001 (1) (Basic) +V-225063::Value: 0x00000002 (2) (Prompt for consent on the secure desktop)::Value: 1 or 2 +V-224834::\Windows::C:\Windows +V-224872::"Minimum password length,"::"Minimum password length" +V-225078::- Administrators::- Administrators`r`nHyper-V +V-225079::Passwords for application accounts with this user right must be protected as highly privileged accounts.::"" diff --git a/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R10_Manual-xccdf.xml b/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V2R1_Manual-xccdf.xml similarity index 57% rename from source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R10_Manual-xccdf.xml rename to source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V2R1_Manual-xccdf.xml index 0a875d248..77615d232 100644 --- a/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V1R10_Manual-xccdf.xml +++ b/source/StigData/Archive/Windows.Server.2016/U_MS_Windows_Server_2016_MS_STIG_V2R1_Manual-xccdf.xml @@ -1,2598 +1,2568 @@  - - accepted - Windows Server 2016 Security Technical Implementation Guide + + accepted + Microsoft Windows Server 2016 Security Technical Implementation Guide This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + + DISA STIG.DOD.MIL - Release: 10 Benchmark Date: 24 Jan 2020 - 1 + Release: 1 Benchmark Date: 13 Nov 2020 + 3.1.1.36225 + 1.10.0 + 2 I - Mission Critical Classified <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Sensitive <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Public <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Classified <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Sensitive <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000010Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.<VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73217SV-87869CCI-000366Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties.Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>WN16-00-000030Passwords for the built-in Administrator account must be changed at least every 60 days.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. + +Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87875V-73223CCI-000199Change the built-in Administrator account password at least every "60" days. + +Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this.Review the password last set date for the built-in Administrator account. + +Domain controllers: + +Open "PowerShell". + +Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet". + +If the "PasswordLastSet" date is greater than "60" days old, this is a finding. + +Member servers and standalone systems: + +Open "Command Prompt". + +Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. + +(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) + +If the "PasswordLastSet" date is greater than "60" days old, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000040Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.<VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. + +Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy require administrative accounts to not access the Internet or use applications such as email. + +The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. + +Whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87877V-73225CCI-000366Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. + +The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. + +If it does not, this is a finding. + +The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000050Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.<VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87879V-73227CCI-000366Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions.If no accounts are members of the Backup Operators group, this is NA. + +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. + +If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>WN16-00-000060Manually managed application account passwords must be at least 15 characters in length.<VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73229SV-87881CCI-000205Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced.Determine if manually managed application/service accounts exist. If none exist, this is NA. + +Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. + +If such a policy does not exist or has not been implemented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000070Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.<VulnDiscussion>Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87883V-73231CCI-000366Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. + +It is recommended that system-managed service accounts be used whenever possible.Determine if manually managed application/service accounts exist. If none exist, this is NA. + +If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. + +Identify manually managed application/service accounts. + +To determine the date a password was last changed: + +Domain controllers: + +Open "PowerShell". + +Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. + +If the "PasswordLastSet" date is more than one year old, this is a finding. + +Member servers and standalone systems: + +Open "Command Prompt". + +Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. + +If the "Password Last Set" date is more than one year old, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>WN16-00-000080Shared user accounts must not be permitted on the system.<VulnDiscussion>Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87885V-73233CCI-000764Remove unapproved shared accounts from the system. + +Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity.Determine whether any shared accounts exist. If no shared accounts exist, this is NA. + +Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. + +If unapproved shared accounts exist, this is a finding.SRG-OS-000370-GPOS-00155<GroupDescription></GroupDescription>WN16-00-000090Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.<VulnDiscussion>Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. + +The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87887V-73235CCI-001774Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server. + +If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: + +https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmThis is applicable to unclassified systems. For other systems, this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: + +Open "PowerShell". + +If the AppLocker PowerShell module has not been imported previously, execute the following first: + +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: + +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml + +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: + +https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfmSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000100Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.<VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87889V-73237CCI-000366Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) + +The TPM must be enabled in the firmware. + +Run "tpm.msc" for configuration options in Windows.For standalone systems, this is NA. + +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. + +Verify the system has a TPM and it is ready for use. + +Run "tpm.msc". + +Review the sections in the center pane. + +"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". + +TPM Manufacturer Information - Specific Version = 2.0 or 1.2 + +If a TPM is not found or is not ready for use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000110Systems must be maintained at a supported servicing level.<VulnDiscussion>Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a servicing level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87891V-73239CCI-000366Update the system to a Version 1607 (Build 14393.xxx) or greater.Open "Command Prompt". + +Enter "winver.exe". + +If the "About Windows" dialog box does not display "Microsoft Windows Server Version 1607 (Build 14393.xxx)" or greater, this is a finding. + +Preview versions must not be used in a production environment.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000120The Windows Server 2016 system must use an anti-virus program.<VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87893V-73241CCI-000366If no anti-virus software is in use, install Windows Defender or third-party anti-virus. + +Open "PowerShell". + +Enter "Install-WindowsFeature -Name Windows-Defender” + +For third-party anti-virus, install per anti-virus instructions and disable Windows Defender. + +Open "PowerShell". + +Enter “Uninstall-WindowsFeature -Name Windows-Defender”. +Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. + +If there is no anti-virus solution installed on the system, this is a finding. + +Verify if Windows Defender is in use or enabled: + +Open "PowerShell". + +Enter "get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName” + +Verify if third-party anti-virus is in use or enabled: + +Open "PowerShell". + +Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName” + +Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName” +SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000140Servers must have a host-based intrusion detection or prevention system.<VulnDiscussion>A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87897V-73245CCI-000366Install a HIDS or HIPS on each server.Determine whether there is a HIDS or HIPS on each server. + +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. + +A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. + +If a HIDS is not installed on the system, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-00-000150Local volumes must use a format that supports NTFS attributes.<VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using a file system that supports NTFS attributes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87899V-73247CCI-000213Format volumes to use NTFS or ReFS.Open "Computer Management". + +Select "Disk Management" under "Storage". + +For each local volume, if the file system does not indicate "NTFS", this is a finding. + +"ReFS" (resilient file system) is also acceptable and would not be a finding. + +This does not apply to system partitions such the Recovery and EFI System Partition.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>WN16-00-000160Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). + +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87901V-73249CCI-002165Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). + +Default Permissions +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders, and files +Administrators - Full control - This folder, subfolders, and files +Users - Read & execute - This folder, subfolders, and files +Users - Create folders/append data - This folder and subfolders +Users - Create files/write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files onlyThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). + +Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) + +If permissions are not as restrictive as the default permissions listed below, this is a finding. + +Viewing in File Explorer: + +View the Properties of the system drive's root directory. + +Select the "Security" tab, and the "Advanced" button. + +Default permissions: +C:\ +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +SYSTEM - Full control - This folder, subfolders, and files +Administrators - Full control - This folder, subfolders, and files +Users - Read & execute - This folder, subfolders, and files +Users - Create folders/append data - This folder and subfolders +Users - Create files/write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + +Alternately, use icacls: + +Open "Command Prompt (Admin)". + +Enter "icacls" followed by the directory: + +"icacls c:\" + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 filesSRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>WN16-00-000170Permissions for program file directories must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). + +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73251SV-87903CCI-002165Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). + +Default permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders, and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and filesThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). + +Review the permissions for the program file directories (Program Files and Program Files [x86]). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.) + +If permissions are not as restrictive as the default permissions listed below, this is a finding. + +Viewing in File Explorer: + +For each folder, view the Properties. + +Select the "Security" tab, and the "Advanced" button. + +Default permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files + +Alternately, use icacls: + +Open a Command prompt (admin). + +Enter "icacls" followed by the directory: + +'icacls "c:\program files"' +'icacls "c:\program files (x86)"' + +The following results should be displayed for each when entered: + +c:\program files (c:\program files (x86)) +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 filesSRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>WN16-00-000180Permissions for the Windows installation directory must conform to minimum requirements.<VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). + +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73253SV-87905CCI-002165Maintain the default file ACLs and configure the Security Option "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (WN16-SO-000290). + +Default permissions: +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders, and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and filesThe default permissions are adequate when the Security Option "Network access: Let everyone permissions apply to anonymous users" is set to "Disabled" (WN16-SO-000290). + +Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. (Individual accounts must not be used to assign permissions.) + +If permissions are not as restrictive as the default permissions listed below, this is a finding. + +Viewing in File Explorer: + +For each folder, view the Properties. + +Select the "Security" tab and the "Advanced" button. + +Default permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders, and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files + +Alternately, use icacls: + +Open a Command prompt (admin). + +Enter "icacls" followed by the directory: + +"icacls c:\windows" + +The following results should be displayed for each when entered: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 filesSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-00-000190Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.<VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87907V-73255CCI-002235Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. + +The default permissions of the higher-level keys are noted below. + +HKEY_LOCAL_MACHINE\SECURITY + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +SYSTEM - Full Control - This key and subkeys +Administrators - Special - This key and subkeys + +HKEY_LOCAL_MACHINE\SOFTWARE + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - This key and subkeys +ALL APPLICATION PACKAGES - Read - This key and subkeys + +HKEY_LOCAL_MACHINE\SYSTEM + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - Subkeys only +ALL APPLICATION PACKAGES - Read - This key and subkeysReview the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. + +If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. + +If permissions are not as restrictive as the default permissions listed below, this is a finding. + +Run "Regedit". + +Right-click on the registry areas noted below. + +Select "Permissions..." and the "Advanced" button. + +HKEY_LOCAL_MACHINE\SECURITY + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +SYSTEM - Full Control - This key and subkeys +Administrators - Special - This key and subkeys + +HKEY_LOCAL_MACHINE\SOFTWARE + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - This key and subkeys +ALL APPLICATION PACKAGES - Read - This key and subkeys + +HKEY_LOCAL_MACHINE\SYSTEM + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - Subkeys only +ALL APPLICATION PACKAGES - Read - This key and subkeys + +Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. + +If the defaults have not been changed, these are not a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-00-000200Non-administrative accounts or groups must only have print permissions on printer shares.<VulnDiscussion>Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73257SV-87909CCI-000213Configure the permissions on shared printers to restrict standard users to only have Print permissions.Open "Devices and Printers". + +If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) + +For each printer: + +Right-click on the printer. + +Select "Printer Properties". + +Select the "Sharing" tab. + +If "Share this printer" is checked, select the "Security" tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. + +The default is for the "Everyone" group to be given "Print" permission. + +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>WN16-00-000210Outdated or unused accounts must be removed from the system or disabled.<VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed. + +Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000118-GPOS-00060</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73259SV-87911CCI-000764CCI-000795Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days.Open "Windows PowerShell". + +Domain Controllers: + +Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" + +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. + +Member servers and standalone systems: + +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: + +- Built-in administrator account (Renamed, SID ending in 500) +- Built-in guest account (Renamed, Disabled, SID ending in 501) +- Built-in default account (Renamed, Disabled, SID ending in 503) +- Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>WN16-00-000220Windows Server 2016 accounts must require passwords.<VulnDiscussion>The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87913V-73261CCI-000764Configure all enabled accounts to require passwords. + +The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account.Review the password required status for enabled user accounts. + +Open "PowerShell". + +Domain Controllers: + +Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". + +Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). + +If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. + +Exclude disabled accounts (e.g., DefaultAccount, Guest). + +If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>WN16-00-000230Passwords must be configured to expire.<VulnDiscussion>Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73263SV-87915CCI-000199Configure all enabled user account passwords to expire. + +Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO.Review the password never expires status for enabled user accounts. + +Open "PowerShell". + +Domain Controllers: + +Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". + +Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. + +If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. + +Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). + +If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>WN16-00-000240System files must be monitored for unauthorized changes.<VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87917V-73265CCI-001744Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools.Determine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. + +A properly configured and approved DoD HBSS solution that supports a File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. + +If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN16-00-000250Non-system-created file shares on a system must limit access to groups that require it.<VulnDiscussion>Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87919V-73267CCI-001090If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. + +Remove any unnecessary non-system-created shares.If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) + +Run "Computer Management". + +Navigate to System Tools >> Shared Folders >> Shares. + +Right-click any non-system-created shares. + +Select "Properties". + +Select the "Share Permissions" tab. + +If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. + +Select the "Security" tab. + +If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000270Software certificate installation files must be removed from Windows Server 2016.<VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87923V-73271CCI-000366Remove any certificate installation files (*.p12 and *.pfx) found on a system. + +Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files.Search all drives for *.p12 and *.pfx files. + +If any files with these extensions exist, this is a finding. + +This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>WN16-00-000280Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.<VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87925V-73273CCI-001199CCI-002475CCI-002476Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest.Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. + +If they do not, this is a finding.SRG-OS-000425-GPOS-00189<GroupDescription></GroupDescription>WN16-00-000290Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.<VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. + +Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption. + +Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec. + +Satisfies: SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87927V-73275CCI-002422CCI-002420Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. + +If protection methods have not been implemented, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000300The roles and features required by the system must be documented.<VulnDiscussion>Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73277SV-87929CCI-000381Document the roles and features required for the system to operate. Uninstall any that are not required.Required roles and features will vary based on the function of the individual system. + +Roles and features specifically required to be disabled per the STIG are identified in separate requirements. + +If the organization has not documented the roles and features required for the system(s), this is a finding. + +The PowerShell command "Get-WindowsFeature" will list all roles and features with an "Install State".SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000310A host-based firewall must be installed and enabled on the system.<VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73279SV-87931CCI-000366CCI-002080Install and enable a host-based firewall on the system.Determine if a host-based firewall is installed and enabled on the system. + +If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>WN16-00-000320Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87933V-73281CCI-001233Install a DoD approved HBSS software and ensure it is operating continuously.Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. + +If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding.SRG-OS-000002-GPOS-00002<GroupDescription></GroupDescription>WN16-00-000330Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.<VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. + +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73283SV-87935CCI-000016Configure temporary user accounts to automatically expire within 72 hours. + +Domain accounts can be configured with an account expiration date, under "Account" properties. + +Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. + +Delete any temporary user accounts that are no longer necessary.Review temporary user accounts for expiration dates. + +Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. + +Domain Controllers: + +Open "PowerShell". + +Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". + +If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding. + +Member servers and standalone systems: + +Open "Command Prompt". + +Run "Net user [username]", where [username] is the name of the temporary user account. + +If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>WN16-00-000340Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.<VulnDiscussion>Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. + +Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. + +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73285SV-87937CCI-001682Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. + +Domain accounts can be configured with an account expiration date, under "Account" properties. + +Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account.Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. + +If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. + +If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. + +Domain Controllers: + +Open "PowerShell". + +Enter "Search-ADAccount –AccountExpiring | FT Name, AccountExpirationDate". + +If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. + +Member servers and standalone systems: + +Open "Command Prompt". + +Run "Net user [username]", where [username] is the name of the emergency account. + +If "Account expires" has been defined and is not within 72 hours for an emergency administrator account, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000350The Fax Server role must not be installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73287SV-87939CCI-000381Uninstall the "Fax Server" role. + +Start "Server Manager". + +Select the server with the role. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "Fax Server" on the "Roles" page. + +Click "Next" and "Remove" as prompted.Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq Fax". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>WN16-00-000360The Microsoft FTP service must not be installed unless required.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87941V-73289CCI-000382Uninstall the "FTP Server" role. + +Start "Server Manager". + +Select the server with the role. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. + +Click "Next" and "Remove" as prompted.If the server has the role of an FTP server, this is NA. + +Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq Web-Ftp-Service". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding. + +If the system has the role of an FTP server, this must be documented with the ISSO.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000370The Peer Name Resolution Protocol must not be installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87943V-73291CCI-000381Uninstall the "Peer Name Resolution Protocol" feature. + +Start "Server Manager". + +Select the server with the feature. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "Peer Name Resolution Protocol" on the "Features" page. + +Click "Next" and "Remove" as prompted.Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq PNRP". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000380Simple TCP/IP Services must not be installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87945V-73293CCI-000381Uninstall the "Simple TCP/IP Services" feature. + +Start "Server Manager". + +Select the server with the feature. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "Simple TCP/IP Services" on the "Features" page. + +Click "Next" and "Remove" as prompted.Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq Simple-TCPIP". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>WN16-00-000390The Telnet Client must not be installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87947V-73295CCI-000382Uninstall the "Telnet Client" feature. + +Start "Server Manager". + +Select the server with the feature. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "Telnet Client" on the "Features" page. + +Click "Next" and "Remove" as prompted.Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq Telnet-Client". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000400The TFTP Client must not be installed.<VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73297SV-87949CCI-000381Uninstall the "TFTP Client" feature. + +Start "Server Manager". + +Select the server with the feature. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "TFTP Client" on the "Features" page. + +Click "Next" and "Remove" as prompted.Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq TFTP-Client". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000410The Server Message Block (SMB) v1 protocol must be uninstalled.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87951V-73299CCI-000381Uninstall the SMBv1 protocol. + +Open "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Uninstall-WindowsFeature -Name FS-SMB1 -Restart". +(Omit the Restart parameter if an immediate restart of the system cannot be done.) + +Alternately: + +Start "Server Manager". + +Select the server with the feature. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "SMB 1.0/CIFS File Sharing Support" on the "Features" page. + +Click "Next" and "Remove" as prompted.Different methods are available to disable SMBv1 on Windows 2016. This is the preferred method, however if V-78123 and V-78125 are configured, this is NA. + +Open "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-WindowsFeature -Name FS-SMB1". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000411The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-78123SV-92829CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". + +The system must be restarted for the change to take effect. + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ + +Value Name: SMB1 + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000412The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.<VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-78125SV-92831CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". + +The system must be restarted for the changes to take effect. + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.Different methods are available to disable SMBv1 on Windows 2016, if V-73299 is configured, this is NA. + +If the following registry value is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ + +Value Name: Start + +Type: REG_DWORD +Value: 0x00000004 (4)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-00-000420Windows PowerShell 2.0 must not be installed.<VulnDiscussion>Windows PowerShell 5.0 added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87953V-73301CCI-000381Uninstall the "Windows PowerShell 2.0 Engine". + +Start "Server Manager". + +Select the server with the feature. + +Scroll down to "ROLES AND FEATURES" in the right pane. + +Select "Remove Roles and Features" from the drop-down "TASKS" list. + +Select the appropriate server on the "Server Selection" page and click "Next". + +Deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell" on the "Features" page. + +Click "Next" and "Remove" as prompted.Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq PowerShell-v2". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000430FTP servers must be configured to prevent anonymous logons.<VulnDiscussion>The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. + +Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73303SV-87955CCI-000366Configure the FTP service to prevent anonymous logons. + +Open "Internet Information Services (IIS) Manager". + +Select the server. + +Double-click "FTP Authentication". + +Select "Anonymous Authentication". + +Select "Disabled" under "Actions".If FTP is not installed on the system, this is NA. + +Open "Internet Information Services (IIS) Manager". + +Select the server. + +Double-click "FTP Authentication". + +If the "Anonymous Authentication" status is "Enabled", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000440FTP servers must be configured to prevent access to the system drive.<VulnDiscussion>The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the root directory of the boot drive.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87957V-73305CCI-000366Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system.If FTP is not installed on the system, this is NA. + +Open "Internet Information Services (IIS) Manager". + +Select "Sites" under the server name. + +For any sites with a Binding that lists FTP, right-click the site and select "Explore". + +If the site is not defined to a specific folder for shared FTP resources, this is a finding. + +If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>WN16-00-000450The time service must synchronize with an appropriate DoD time source.<VulnDiscussion>The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87959V-73307CCI-001891Configure the system to synchronize time with an appropriate DoD time source. + +Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. + +If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DoD time server. + +The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.Review the Windows time service configuration. + +Open an elevated "Command Prompt" (run as administrator). + +Enter "W32tm /query /configuration". + +Domain-joined systems (excluding the domain controller with the PDC emulator role): + +If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding. + +Other systems: + +If systems are configured with a "Type" of "NTP", including standalone systems and the domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. + +To determine the domain controller with the PDC Emulator role: + +Open "PowerShell". + +Enter "Get-ADDomain | FT PDCEmulator".SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000460Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.<VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-92833V-78127CCI-000366Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy.Review the effective User Rights setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +Review each User Right listed for any unresolved SIDs to determine whether they are valid, such as due to being temporarily disconnected from the domain. (Unresolved SIDs have the format of "*S-1-…".) + +If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. + +For server core installations, run the following command: + +Secedit /export /areas USER_RIGHTS /cfg c:\path\UserRights.txt + +The results in the file identify user right assignments by SID instead of group name. Review the SIDs for unidentified ones. A list of typical SIDs \ Groups is below, search Microsoft for articles on well-known SIDs for others. + +If any unresolved SIDs exist and are not for currently valid accounts or groups, this is a finding. + + +SID - Group +S-1-5-11 - Authenticated Users +S-1-5-113 - Local account +S-1-5-114 - Local account and member of Administrators group +S-1-5-19 - Local Service +S-1-5-20 - Network Service +S-1-5-32-544 - Administrators +S-1-5-32-546 - Guests +S-1-5-6 - Service +S-1-5-9 - Enterprise Domain Controllers +S-1-5-domain-512 - Domain Admins +S-1-5-root domain-519 - Enterprise Admins +S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 - NT Service\WdiServiceHostSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000470Secure Boot must be enabled on Windows Server 2016 systems.<VulnDiscussion>Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows Server 2016, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-101005V-90355CCI-000366Enable Secure Boot in the system firmware.Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + +Run "System Information". + +Under "System Summary", if "Secure Boot State" does not display "On", this is finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-00-000480Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.<VulnDiscussion>UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows Server 2016, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in "Legacy BIOS" mode will not support these security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-101007V-90357CCI-000366Configure UEFI firmware to run in "UEFI" mode, not "Legacy BIOS" mode.Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must run in "UEFI" mode. + +Verify the system firmware is configured to run in "UEFI" mode, not "Legacy BIOS". + +Run "System Information". + +Under "System Summary", if "BIOS Mode" does not display "UEFI", this is finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>WN16-AC-000010Windows 2016 account lockout duration must be configured to 15 minutes or greater.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87961V-73309CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. + +A value of "0" is also acceptable, requiring an administrator to unlock the account.Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "LockoutDuration" is less than "15" (excluding "0") in the file, this is a finding. + +Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>WN16-AC-000020Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87963V-73311CCI-000044Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or fewer invalid logon attempts (excluding "0", which is unacceptable).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "LockoutBadCount" equals "0" or is greater than "3" in the file, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>WN16-AC-000030Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.<VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system. + +Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87965V-73313CCI-000044CCI-002238Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. + +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "ResetLockoutCount" is less than "15" in the file, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>WN16-AC-000040Windows Server 2016 password history must be configured to 24 passwords remembered.<VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73315SV-87967CCI-000200Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "PasswordHistorySize" is less than "24" in the file, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>WN16-AC-000050Windows Server 2016 maximum password age must be configured to 60 days or less.<VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73317SV-87969CCI-000199Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. + +If the value is set to "0" (never expires), this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "MaximumPasswordAge" is greater than "60" or equal to "0" in the file, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>WN16-AC-000060Windows Server 2016 minimum password age must be configured to at least one day.<VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73319SV-87971CCI-000198Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password age" to at least "1" day.Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately"), this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "MinimumPasswordAge" equals "0" in the file, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>WN16-AC-000070Windows Server 2016 minimum password length must be configured to 14 characters.<VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87973V-73321CCI-000205Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters.Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for the "Minimum password length," is less than "14" characters, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "MinimumPasswordLength" is less than "14" in the file, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>WN16-AC-000080Windows Server 2016 must have the built-in Windows password complexity policy enabled.<VulnDiscussion>The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, upper- and lower-case letters, and special characters) and prevents the inclusion of user names or parts of user names. + +Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87975V-73323CCI-000192CCI-000193CCI-000194CCI-001619Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "PasswordComplexity" equals "0" in the file, this is a finding. + +Note: If an external password filter is in use that enforces all four character types and requires this setting to be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>WN16-AC-000090Windows Server 2016 reversible password encryption must be disabled.<VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87977V-73325CCI-000196Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "ClearTextPassword" equals "1" in the file, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>WN16-AU-000010Audit records must be backed up to a different system or media than the system being audited.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88053V-73401CCI-001851Establish and implement a process for backing up log data to another system or media other than the system being audited.Determine if a process to back up log data to a different system or media than the system being audited has been implemented. + +If it has not, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>WN16-AU-000020Windows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.<VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73403SV-88055CCI-001851Configure the system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. + +If they are not, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN16-AU-000030Permissions for the Application event log must prevent access by non-privileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88057V-73405CCI-000162CCI-000163CCI-000164Configure the permissions on the Application event log file (Application.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. + +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Navigate to the Application event log file. + +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. + +If the permissions for the "Application.evtx" file are not as restrictive as the default permissions listed below, this is a finding. + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full ControlSRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN16-AU-000040Permissions for the Security event log must prevent access by non-privileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73407SV-88059CCI-000164CCI-000163CCI-000162Configure the permissions on the Security event log file (Security.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. + +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Navigate to the Security event log file. + +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. + +If the permissions for the "Security.evtx" file are not as restrictive as the default permissions listed below, this is a finding. + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full ControlSRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN16-AU-000050Permissions for the System event log must prevent access by non-privileged accounts.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88061V-73409CCI-000162CCI-000163CCI-000164Configure the permissions on the System event log file (System.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + +The default location is the "%SystemRoot%\ System32\winevt\Logs" folder. + +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog".Navigate to the System event log file. + +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. + +If the permissions for the "System.evtx" file are not as restrictive as the default permissions listed below, this is a finding. + +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full ControlSRG-OS-000257-GPOS-00098<GroupDescription></GroupDescription>WN16-AU-000060Event Viewer must be protected from unauthorized modification and deletion.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools. + +Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73411SV-88063CCI-001494CCI-001495Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement: + +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute + +The default location is the "%SystemRoot%\ System32" folder.Navigate to "%SystemRoot%\System32". + +View the permissions on "Eventvwr.exe". + +If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding. + +The default permissions below satisfy this requirement: + +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & ExecuteSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN16-AU-000070Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73413SV-88065CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Logon >> Credential Validation - SuccessSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN16-AU-000080Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88067V-73415CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Logon >> Credential Validation - FailureSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000100Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88071V-73419CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Other Account Management Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Management >> Other Account Management Events - SuccessSRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN16-AU-000120Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88075V-73423CCI-000172CCI-000018CCI-002130CCI-001405CCI-001403CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Management >> Security Group Management - SuccessSRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN16-AU-000140Windows Server 2016 must be configured to audit Account Management - User Account Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73427SV-88079CCI-000018CCI-000172CCI-001403CCI-001405CCI-001404CCI-002130Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Management >> User Account Management - SuccessSRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN16-AU-000150Windows Server 2016 must be configured to audit Account Management - User Account Management failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73429SV-88081CCI-000172CCI-000018CCI-002130CCI-001405CCI-001403CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Management >> User Account Management - FailureSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN16-AU-000160Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88083V-73431CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Detailed Tracking >> Plug and Play Events - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000170Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Process Creation records events related to the creation of a process and the source. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73433SV-88085CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Detailed Tracking >> Process Creation - SuccessSRG-OS-000240-GPOS-00090<GroupDescription></GroupDescription>WN16-AU-000220Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Account Lockout events can be used to identify potentially malicious logon attempts. + +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73443SV-88095CCI-001404CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - SuccessSRG-OS-000240-GPOS-00090<GroupDescription></GroupDescription>WN16-AU-000230Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Account Lockout events can be used to identify potentially malicious logon attempts. + +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73445SV-88097CCI-000172CCI-001404Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - FailureSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN16-AU-000240Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73447SV-88099CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Group Membership - SuccessSRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>WN16-AU-000250Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. + +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88101V-73449CCI-000172CCI-000067Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Logoff - SuccessSRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>WN16-AU-000260Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. + +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88103V-73451CCI-000067CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Logon - SuccessSRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>WN16-AU-000270Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. + +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88105V-73453CCI-000172CCI-000067Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Logon - FailureSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN16-AU-000280Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Special Logon records special logons that have administrative privileges and can be used to elevate processes. + +Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88107V-73455CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Special Logon - SuccessSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN16-AU-000285Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-101009V-90359CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the "AuditPol" tool to review the current Audit Policy configuration: + +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as Administrator"). + +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Object Access >> Other Object Access Events - SuccessSRG-OS-000470-GPOS-00214<GroupDescription></GroupDescription>WN16-AU-000286Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-90361SV-101011CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the "AuditPol" tool to review the current Audit Policy configuration: + +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as Administrator"). + +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Object Access >> Other Object Access Events - FailureSRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN16-AU-000290Windows Server 2016 must be configured to audit Object Access - Removable Storage successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88109V-73457CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.SRG-OS-000474-GPOS-00219<GroupDescription></GroupDescription>WN16-AU-000300Windows Server 2016 must be configured to audit Object Access - Removable Storage failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73459SV-88111CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Object Access >> Removable Storage - Failure + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000310Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73461SV-88113CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Policy Change >> Audit Policy Change - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000320Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73463SV-88115CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Policy Change >> Audit Policy Change - FailureSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000330Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73465SV-88117CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Policy Change >> Authentication Policy Change - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000340Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Authorization Policy Change records events related to changes in user rights, such as "Create a token object". + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88119V-73467CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Policy Change >> Authorization Policy Change - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000350Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73469SV-88121CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Privilege Use >> Sensitive Privilege Use - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000360Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88123V-73471CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Privilege Use >> Sensitive Privilege Use - FailureSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000370Windows Server 2016 must be configured to audit System - IPsec Driver successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +IPsec Driver records events related to the IPsec Driver, such as dropped packets. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88125V-73473CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> IPsec Driver - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000380Windows Server 2016 must be configured to audit System - IPsec Driver failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +IPsec Driver records events related to the IPsec Driver, such as dropped packets. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88127V-73475CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> IPsec Driver - FailureSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000390Windows Server 2016 must be configured to audit System - Other System Events successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88129V-73477CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*" + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000400Windows Server 2016 must be configured to audit System - Other System Events failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88131V-73479CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Other System Events - FailureSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000410Windows Server 2016 must be configured to audit System - Security State Change successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security State Change records events related to changes in the security state, such as startup and shutdown of the system. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73481SV-88133CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Security State Change - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000420Windows Server 2016 must be configured to audit System - Security System Extension successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security System Extension records events related to extension code being loaded by the security subsystem. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73483SV-88135CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> Security System Extension - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000440Windows Server 2016 must be configured to audit System - System Integrity successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +System Integrity records events related to violations of integrity to the security subsystem. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73489SV-88141CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> System Integrity - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-AU-000450Windows Server 2016 must be configured to audit System - System Integrity failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +System Integrity records events related to violations of integrity to the security subsystem. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88143V-73491CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected.Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +System >> System Integrity - FailureSRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000010The display of slide shows on the lock screen must be disabled.<VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88145V-73493CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled".Verify the registry value below. + +If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ + +Value Name: NoLockScreenSlideshow + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000030WDigest Authentication must be disabled on Windows Server 2016.<VulnDiscussion>When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows Server 2016. This setting ensures this is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88149V-73497CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ + +Value Name: UseLogonCredential + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000040Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.<VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73499SV-88151CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. + +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ + +Value Name: DisableIPSourceRouting + +Type: REG_DWORD +Value: 0x00000002 (2)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000050Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.<VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88153V-73501CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. + +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: DisableIPSourceRouting + +Value Type: REG_DWORD +Value: 0x00000002 (2)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000060Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.<VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88155V-73503CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". + +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>WN16-CC-000070Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.<VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88157V-73505CCI-002385Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". + +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ + +Value Name: NoNameReleaseOnDemand + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000080Insecure logons to an SMB server must be disabled.<VulnDiscussion>Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88159V-73507CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ + +Value Name: AllowInsecureGuestAuth + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000090Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.<VulnDiscussion>Additional security requirements are applied to Universal Naming Convention (UNC) paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73509SV-88161CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths": (click the "Show" button to display) + +Value Name: \\*\SYSVOL +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + +Value Name: \\*\NETLOGON +Value: RequireMutualAuthentication=1, RequireIntegrity=1This requirement is applicable to domain-joined systems. For standalone systems, this is NA. + +If the following registry values do not exist or are not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ + +Value Name: \\*\NETLOGON +Value Type: REG_SZ +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + +Value Name: \\*\SYSVOL +Value Type: REG_SZ +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + +Additional entries would not be a finding.SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>WN16-CC-000100Command line data must be included in process creation events.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88163V-73511CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ + +Value Name: ProcessCreationIncludeCmdLine_Enabled + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000110Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.<VulnDiscussion>Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73513SV-88165CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. + +A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: + +https://technet.microsoft.com/itpro/windows/keep-secure/credential-guardFor standalone systems, this is NA. + +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. + +Open "PowerShell" with elevated privileges (run as administrator). + +Enter the following: + +"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" + +If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. + +If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). + +If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. + +Alternately: + +Run "System Information". + +Under "System Summary", verify the following: + +If "Device Guard Virtualization based security" does not display "Running", this is finding. + +If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is finding. + +If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). + +The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ + +Value Name: EnableVirtualizationBasedSecurity +Value Type: REG_DWORD +Value: 0x00000001 (1) + +Value Name: RequirePlatformSecurityFeatures +Value Type: REG_DWORD +Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) + +A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: + +https://technet.microsoft.com/itpro/windows/keep-secure/credential-guardSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000140Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.<VulnDiscussion>Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88173V-73521CCI-000366The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). + +If this needs to be corrected or a more secure setting is desired, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Not Configured" or "Enabled" with any option other than "All" selected.The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). + +If the registry value name below does not exist, this is not a finding. + +If it exists and is configured with a value of "0x00000007 (7)", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Value Type: REG_DWORD +Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist) + +Possible values for this setting are: +8 - Good only +1 - Good and unknown +3 - Good, unknown and bad but critical +7 - All (which includes "bad" and would be a finding)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000150Group Policy objects must be reprocessed even if they have not changed.<VulnDiscussion>Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88177V-73525CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" with the option "Process even if the Group Policy objects have not changed" selected.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ + +Value Name: NoGPOListChanges + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000160Downloading print driver packages over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + +This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88179V-73527CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableWebPnPDownload + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000170Printing over HTTP must be prevented.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + +This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73529SV-88181CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ + +Value Name: DisableHTTPPrinting + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000180The network selection user interface (UI) must not be displayed on the logon screen.<VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73531SV-88185CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled".Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: DontDisplayNetworkSelectionUI + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000210Users must be prompted to authenticate when the system wakes from sleep (on battery).<VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88197V-73537CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: DCSettingIndex + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000220Users must be prompted to authenticate when the system wakes from sleep (plugged in).<VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88201V-73539CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ + +Value Name: ACSettingIndex + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000240The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + +This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88207V-73543CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ + +Value Name: DisableInventory + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>WN16-CC-000250AutoPlay must be turned off for non-volume devices.<VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88209V-73545CCI-001764Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoAutoplayfornonVolume + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>WN16-CC-000260The default AutoRun behavior must be configured to prevent AutoRun commands.<VulnDiscussion>Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73547SV-88211CCI-001764Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: NoAutorun + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>WN16-CC-000270AutoPlay must be disabled for all drives.<VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88213V-73549CCI-001764Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ + +Value Name: NoDriveTypeAutoRun + +Type: REG_DWORD +Value: 0x000000ff (255)SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-CC-000280Administrator accounts must not be enumerated during elevation.<VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88139V-73487CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ + +Value Name: EnumerateAdministrators + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000290Windows Telemetry must be configured to Security or Basic.<VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88215V-73551CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds>> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ + +Value Name: AllowTelemetry + +Type: REG_DWORD +Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN16-CC-000300The Application event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73553SV-88217CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN16-CC-000310The Security event log size must be configured to 196608 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88219V-73555CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater)SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>WN16-CC-000320The System event log size must be configured to 32768 KB or greater.<VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73557SV-88221CCI-001849Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater.If the system is configured to write events directly to an audit server, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ + +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000330Windows Server 2016 Windows SmartScreen must be enabled.<VulnDiscussion>Windows SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen will warn users of potentially malicious programs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88223V-73559CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows SmartScreen" to "Enabled".This is applicable to unclassified systems; for other systems, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: EnableSmartScreen + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>WN16-CC-000340Explorer Data Execution Prevention must be enabled.<VulnDiscussion>Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88225V-73561CCI-002824The default behavior is for data execution prevention to be turned on for File Explorer. + +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled".The default behavior is for Data Execution Prevention to be turned on for File Explorer. + +If the registry value name below does not exist, this is not a finding. + +If it exists and is configured with a value of "0", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoDataExecutionPrevention + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000350Turning off File Explorer heap termination on corruption must be disabled.<VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73563SV-88227CCI-000366The default behavior is for File Explorer heap termination on corruption to be disabled. + +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled".The default behavior is for File Explorer heap termination on corruption to be enabled. + +If the registry Value Name below does not exist, this is not a finding. + +If it exists and is configured with a value of "0", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ + +Value Name: NoHeapTerminationOnCorruption + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000360File Explorer shell protocol must run in protected mode.<VulnDiscussion>The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73565SV-88229CCI-000366The default behavior is for shell protected mode to be turned on for File Explorer. + +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled".The default behavior is for shell protected mode to be turned on for File Explorer. + +If the registry value name below does not exist, this is not a finding. + +If it exists and is configured with a value of "0", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ + +Value Name: PreXPSP2ShellProtocolBehavior + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN16-CC-000370Passwords must not be saved in the Remote Desktop Client.<VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73567SV-88231CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: DisablePasswordSaving + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN16-CC-000380Local drives must be prevented from sharing with Remote Desktop Session Hosts.<VulnDiscussion>Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88233V-73569CCI-001090Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fDisableCdm + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN16-CC-000390Remote Desktop Services must always prompt a client for passwords upon connection.<VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88235V-73571CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fPromptForPassword + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>WN16-CC-000400The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.<VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88237V-73573CCI-001453Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: fEncryptRPCTraffic + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>WN16-CC-000410Remote Desktop Services must be configured with the client connection encryption set to High Level.<VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73575SV-88239CCI-001453Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ + +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 0x00000003 (3)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000420Attachments must be prevented from being downloaded from RSS feeds.<VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88241V-73577CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: DisableEnclosureDownload + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000421The Windows Explorer Preview pane must be disabled for Windows Server 2016.<VulnDiscussion>A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane. + +Organizations must disable the Windows Preview pane and Windows Detail pane.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-111573V-102623CCI-000366Ensure the following settings are configured for Windows Server 2016 locally or applied through group policy. + +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn off Preview Pane" to "Enabled". + +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide".If the following registry values do not exist or are not configured as specified, this is a finding: + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoPreviewPane + +Value Type: REG_DWORD + +Value: 1 + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoReadingPane + +Value Type: REG_DWORD + +Value: 1 +SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000430Basic authentication for RSS feeds over HTTP must not be used.<VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73579SV-88243CCI-000381The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. + +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled".The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. + +If the registry value name below does not exist, this is not a finding. + +If it exists and is configured with a value of "0", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ + +Value Name: AllowBasicAuthInClear + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist)SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-CC-000440Indexing of encrypted files must be turned off.<VulnDiscussion>Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73581SV-88245CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ + +Value Name: AllowIndexingEncryptedStoresOrItems + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN16-CC-000450Users must be prevented from changing installation options.<VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88247V-73583CCI-001812Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ + +Value Name: EnableUserControl + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000362-GPOS-00149<GroupDescription></GroupDescription>WN16-CC-000460The Windows Installer Always install with elevated privileges option must be disabled.<VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73585SV-88249CCI-001812Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ + +Value Name: AlwaysInstallElevated + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-CC-000470Users must be notified if a web-based program attempts to install software.<VulnDiscussion>Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88251V-73587CCI-000366The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. + +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled".The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. + +If the registry value name below does not exist, this is not a finding. + +If it exists and is configured with a value of "0", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ + +Value Name: SafeForScripting + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist)SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>WN16-CC-000480Automatically signing in the last interactive user after a system-initiated restart must be disabled.<VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88253V-73589CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled".Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: DisableAutomaticRestartSignOn + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000042-GPOS-00020<GroupDescription></GroupDescription>WN16-CC-000490PowerShell script block logging must be enabled.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88255V-73591CCI-000135Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ + +Value Name: EnableScriptBlockLogging + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN16-CC-000500The Windows Remote Management (WinRM) client must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88257V-73593CCI-000877Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000393-GPOS-00173<GroupDescription></GroupDescription>WN16-CC-000510The Windows Remote Management (WinRM) client must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. + +Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73595SV-88259CCI-002890CCI-003123Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN16-CC-000520The Windows Remote Management (WinRM) client must not use Digest authentication.<VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88261V-73597CCI-000877Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ + +Value Name: AllowDigest + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>WN16-CC-000530The Windows Remote Management (WinRM) service must not use Basic authentication.<VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88263V-73599CCI-000877Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowBasic + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000393-GPOS-00173<GroupDescription></GroupDescription>WN16-CC-000540The Windows Remote Management (WinRM) service must not allow unencrypted traffic.<VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. + +Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88265V-73601CCI-002890CCI-003123Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: AllowUnencryptedTraffic + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN16-CC-000550The Windows Remote Management (WinRM) service must not store RunAs credentials.<VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73603SV-88267CCI-002038Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ + +Value Name: DisableRunAs + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000010Only administrators responsible for the domain controller must have Administrator rights on the system.<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. + +System administrators must log on to systems using only accounts with the minimum level of authority necessary. + +Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73219SV-87871CCI-002235Configure the Administrators group to include only administrator groups or accounts that are responsible for the system. + +Remove any standard user accounts.This applies to domain controllers. A separate version applies to other systems. + +Review the Administrators group. Only the appropriate administrator groups or accounts responsible for administration of the system may be members of the group. + +Standard user accounts must not be members of the local administrator group. + +If prohibited accounts are members of the local administrators group, this is a finding. + +If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>WN16-DC-000020Kerberos user logon restrictions must be enforced.<VulnDiscussion>This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. The policy is enabled by default, which is the most secure setting for validating that access to target resources is not circumvented. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88011V-73359CCI-001941CCI-001942Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Enforce user logon restrictions" to "Enabled".This applies to domain controllers. It is NA for other systems. + +Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". + +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the "Enforce user logon restrictions" is not set to "Enabled", this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>WN16-DC-000030The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.<VulnDiscussion>This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket used to authenticate the connection expires during the connection. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88013V-73361CCI-001941CCI-001942Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for service ticket" to a maximum of "600" minutes, but not "0", which equates to "Ticket doesn't expire".This applies to domain controllers. It is NA for other systems. + +Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". + +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the value for "Maximum lifetime for service ticket" is "0" or greater than "600" minutes, this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>WN16-DC-000040The Kerberos user ticket lifetime must be limited to 10 hours or less.<VulnDiscussion>In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to implement an attack is limited. This policy controls how long TGTs can be renewed. With Kerberos, the user's initial authentication to the domain controller results in a TGT, which is then used to request Service Tickets to resources. Upon startup, each computer gets a TGT before requesting a service ticket to the domain controller and any other computers it needs to access. For services that start up under a specified user account, users must always get a TGT first and then get Service Tickets to all computers and services accessed. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88015V-73363CCI-001941CCI-001942Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket" to a maximum of "10" hours but not "0", which equates to "Ticket doesn't expire".This applies to domain controllers. It is NA for other systems. + +Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". + +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the value for "Maximum lifetime for user ticket" is "0" or greater than "10" hours, this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>WN16-DC-000050The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.<VulnDiscussion>This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration limits the amount of time an attacker has to crack the TGT and gain access. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88017V-73365CCI-001941CCI-001942Configure the policy value in the Default Domain Policy for Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum lifetime for user ticket renewal" to a maximum of "7" days or less.This applies to domain controllers. It is NA for other systems. + +Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". + +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the "Maximum lifetime for user ticket renewal" is greater than "7" days, this is a finding.SRG-OS-000112-GPOS-00057<GroupDescription></GroupDescription>WN16-DC-000060The computer clock synchronization tolerance must be limited to 5 minutes or less.<VulnDiscussion>This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible. + +Satisfies: SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88019V-73367CCI-001941CCI-001942Configure the policy value in the Default Domain Policy for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy >> "Maximum tolerance for computer clock synchronization" to a maximum of "5" minutes or less.This applies to domain controllers. It is NA for other systems. + +Verify the following is configured in the Default Domain Policy. + +Open "Group Policy Management". + +Navigate to "Group Policy Objects" in the Domain being reviewed (Forest >> Domains >> Domain). + +Right-click on the "Default Domain Policy". + +Select "Edit". + +Navigate to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy. + +If the "Maximum tolerance for computer clock synchronization" is greater than "5" minutes, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000070Permissions on the Active Directory data files must only allow System and Administrators access.<VulnDiscussion>Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88021V-73369CCI-002235Maintain the permissions on NTDS database and log files as follows: + +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) + +(I) - permission inherited from parent container +(F) - full accessThis applies to domain controllers. It is NA for other systems. + +Run "Regedit". + +Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". + +Note the directory locations in the values for: + +Database log files path +DSA Database file + +By default, they will be \Windows\NTDS. + +If the locations are different, the following will need to be run for each. + +Open "Command Prompt (Admin)". + +Navigate to the NTDS directory (\Windows\NTDS by default). + +Run "icacls *.*". + +If the permissions on each file are not as restrictive as the following, this is a finding. + +NT AUTHORITY\SYSTEM:(I)(F) +BUILTIN\Administrators:(I)(F) + +(I) - permission inherited from parent container +(F) - full accessSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000080The Active Directory SYSVOL directory must have the proper access control permissions.<VulnDiscussion>Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data. + +The SYSVOL directory contains public files (to the domain) such as policies and logon scripts. Data in shared subdirectories are replicated to all domain controllers in a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88023V-73371CCI-002235Maintain the permissions on the SYSVOL directory. Do not allow greater than "Read & execute" permissions for standard user accounts or groups. The defaults below meet this requirement. + +C:\Windows\SYSVOL +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +Authenticated Users - Read & execute - This folder, subfolder, and files +Server Operators - Read & execute- This folder, subfolder, and files +Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) +CREATOR OWNER - Full control - Subfolders and files only +Administrators - Full control - Subfolders and files only +SYSTEM - Full control - This folder, subfolders, and filesThis applies to domain controllers. It is NA for other systems. + +Open a command prompt. + +Run "net share". + +Make note of the directory location of the SYSVOL share. + +By default, this will be \Windows\SYSVOL\sysvol. For this requirement, permissions will be verified at the first SYSVOL directory level. + +If any standard user accounts or groups have greater than "Read & execute" permissions, this is a finding. + +The default permissions noted below meet this requirement. + +Open "Command Prompt". + +Run "icacls c:\Windows\SYSVOL". + +The following results should be displayed: + +NT AUTHORITY\Authenticated Users:(RX) +NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) +BUILTIN\Server Operators:(RX) +BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) +BUILTIN\Administrators:(M,WDAC,WO) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(F) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M,WDAC,WO) +CREATOR OWNER:(OI)(CI)(IO)(F) + +(RX) - Read & execute + +Run "icacls /help" to view definitions of other permission codes. + +Alternately, open "File Explorer". + +Navigate to \Windows\SYSVOL (or the directory noted previously if different). + +Right-click the directory and select properties. + +Select the "Security" tab and click "Advanced". + +Default permissions: + +C:\Windows\SYSVOL +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +Authenticated Users - Read & execute - This folder, subfolder, and files +Server Operators - Read & execute- This folder, subfolder, and files +Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control) +CREATOR OWNER - Full control - Subfolders and files only +Administrators - Full control - Subfolders and files only +SYSTEM - Full control - This folder, subfolders, and filesSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000090Active Directory Group Policy objects must have proper access control permissions.<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems relying on the directory service. + +For Active Directory (AD), the Group Policy objects require special attention. In a distributed administration model (i.e., help desk), Group Policy objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for Group Policy objects, this could allow an intruder to change the security policy applied to all domain client computers (workstations and servers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88025V-73373CCI-002235Maintain the permissions on Group Policy objects to not allow greater than "Read" and "Apply group policy" for standard user accounts or groups. The default permissions below meet this requirement. + +Authenticated Users - Read, Apply group policy, Special permissions + +The special permissions for Authenticated Users are for Read-type Properties. + +CREATOR OWNER - Special permissions +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +Document any other access permissions that allow the objects to be updated with the ISSO. + +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on created Group Policy objects.This applies to domain controllers. It is NA for other systems. + +Review the permissions on Group Policy objects. + +Open "Group Policy Management" (available from various menus or run "gpmc.msc"). + +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). + +For each Group Policy object: + +Select the Group Policy object item in the left pane. + +Select the "Delegation" tab in the right pane. + +Select the "Advanced" button. + +Select each Group or user name. + +View the permissions. + +If any standard user accounts or groups have "Allow" permissions greater than "Read" and "Apply group policy", this is a finding. + +Other access permissions that allow the objects to be updated are considered findings unless specifically documented by the ISSO. + +The default permissions noted below satisfy this requirement. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the next "Advanced" button, the desired Permission entry, and the "Edit" button. + +Authenticated Users - Read, Apply group policy, Special permissions + +The special permissions for Authenticated Users are for Read-type Properties. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +The special permissions for the following default groups are not the focus of this requirement and may include a wide range of permissions and properties. + +CREATOR OWNER - Special permissions +SYSTEM - Read, Write, Create all child objects, Delete all child objects, Special permissions +Domain Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +Enterprise Admins - Read, Write, Create all child objects, Delete all child objects, Special permissions +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +The Domain Admins and Enterprise Admins will not have the "Delete all child objects" permission on the two default Group Policy objects: Default Domain Policy and Default Domain Controllers Policy. They will have this permission on organization created Group Policy objects.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000100The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.<VulnDiscussion>When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + +The Domain Controllers OU object requires special attention as the Domain Controllers are central to the configuration and management of the domain. Inappropriate access permissions defined for the Domain Controllers OU could allow an intruder or unauthorized personnel to make changes that could lead to the compromise of the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88027V-73375CCI-002235Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators. + +The default permissions listed below satisfy this requirement. + +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions. + +CREATOR OWNER - Special permissions + +SELF - Special permissions + +Authenticated Users - Read, Special permissions + +The special permissions for Authenticated Users are Read types. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The special permissions for Pre-Windows 2000 Compatible Access are Read types. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissionsThis applies to domain controllers. It is NA for other systems. + +Review the permissions on the Domain Controllers OU. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Select "Advanced Features" in the "View" menu if not previously selected. + +Select the "Domain Controllers" OU (folder in folder icon). + +Right-click and select "Properties". + +Select the "Security" tab. + +If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding. + +The default permissions listed below satisfy this requirement. + +Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button. + +Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. + +CREATOR OWNER - Special permissions + +SELF - Special permissions + +Authenticated Users - Read, Special permissions + +The special permissions for Authenticated Users are Read types. + +If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The Special permissions for Pre-Windows 2000 Compatible Access are Read types. + +If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissionsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000110Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.<VulnDiscussion>When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or delete the objects and degrade or destroy the integrity of the data. When the directory service is used for identification, authentication, or authorization functions, a compromise of the database objects could lead to a compromise of all systems that rely on the directory service. + +For Active Directory, the OU objects require special attention. In a distributed administration model (i.e., help desk), OU objects are more likely to have access permissions changed from the secure defaults. If inappropriate access permissions are defined for OU objects, it could allow an intruder to add or delete users in the OU. This could result in unauthorized access to data or a denial of service to authorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88029V-73377CCI-002235Maintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. + +Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. + +CREATOR OWNER - Special permissions + +Self - Special permissions + +Authenticated Users - Read, Special permissions + +The special permissions for Authenticated Users are Read type. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The special permissions for Pre-Windows 2000 Compatible Access are for Read types. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissionsThis applies to domain controllers. It is NA for other systems. + +Review the permissions on domain-defined OUs. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: + +Right-click the OU and select "Properties". + +Select the "Security" tab. + +If the permissions on the OU are not at least as restrictive as those below, this is a finding. + +The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. + +Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. + +CREATOR OWNER - Special permissions + +Self - Special permissions + +Authenticated Users - Read, Special permissions + +The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +SYSTEM - Full Control + +Domain Admins - Full Control + +Enterprise Admins - Full Control + +Key Admins - Special permissions + +Enterprise Key Admins - Special permissions + +Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions + +Pre-Windows 2000 Compatible Access - Special permissions + +The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. + +ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions + +If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. + +If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). + +If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs).SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN16-DC-000120Data files owned by users must be on a different logical partition from the directory server data files.<VulnDiscussion>When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical partition as user-owned files, the directory service data may be more vulnerable to unauthorized access or other availability compromises. Directory service and user-owned data files sharing a partition may be configured with less restrictive permissions in order to allow access to the user data. + +The directory service may be vulnerable to a denial of service attack when user-owned files on a common partition are expanded to an extent preventing the directory service from acquiring more space for directory or audit data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73379SV-88031CCI-001090Move shares used to store files owned by users to a different logical partition than the directory server data files.This applies to domain controllers. It is NA for other systems. + +Run "Regedit". + +Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters". + +Note the directory locations in the values for "DSA Database file". + +Open "Command Prompt". + +Enter "net share". + +Note the logical drive(s) or file system partition for any organization-created data shares. + +Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative shares ending in $). User shares that are hidden (ending with $) should not be ignored. + +If user shares are located on the same logical partition as the directory server data files, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-DC-000130Domain controllers must run on a machine dedicated to that function.<VulnDiscussion>Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or database server applications usually require the addition of many programs and accounts, increasing the attack surface of the computer. + +Some applications require the addition of privileged accounts, providing potential sources of compromise. Some applications (such as Microsoft Exchange) may require the use of network ports or services conflicting with the directory server. In this case, non-standard ports might be selected, and this could interfere with intrusion detection or prevention services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73381SV-88033CCI-000381Remove additional roles or applications such as web, database, and email from the domain controller.This applies to domain controllers, It is NA for other systems. + +Review the installed roles the domain controller is supporting. + +Start "Server Manager". + +Select "AD DS" in the left pane and the server name under "Servers" to the right. + +Select "Add (or Remove) Roles and Features" from "Tasks" in the "Roles and Features" section. (Cancel before any changes are made.) + +Determine if any additional server roles are installed. A basic domain controller setup will include the following: + +- Active Directory Domain Services +- DNS Server +- File and Storage Services + +If any roles not requiring installation on a domain controller are installed, this is a finding. + +A Domain Name System (DNS) server integrated with the directory server (e.g., AD-integrated DNS) is an acceptable application. However, the DNS server must comply with the DNS STIG security requirements. + +Run "Programs and Features". + +Review installed applications. + +If any applications are installed that are not required for the domain controller, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>WN16-DC-000140Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.<VulnDiscussion>Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the classification level of directory data in transit is higher than the level of the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88035V-73383CCI-002450Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level that transfer replication data through a network cleared to a lower level than the data.This applies to domain controllers. It is NA for other systems. + +Review the organization network diagram(s) or documentation to determine the level of classification for the network(s) over which replication data is transmitted. + +Determine the classification level of the Windows domain controller. + +If the classification level of the Windows domain controller is higher than the level of the networks, review the organization network diagram(s) and directory implementation documentation to determine if NSA-approved encryption is used to protect the replication network traffic. + +If the classification level of the Windows domain controller is higher than the level of the network traversed and NSA-approved encryption is not used, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-DC-000150Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.<VulnDiscussion>To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If other means of controlling access (such as network restrictions) are compromised, there may be nothing else to protect the confidentiality of sensitive directory data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88037V-73385CCI-000366Configure directory data (outside the root DSE) of a non-public directory to prevent anonymous access. + +For AD, there are multiple configuration items that could enable anonymous access. + +Changing the access permissions on the domain naming context object (from the secure defaults) could enable anonymous access. If the check procedures indicate this is the cause, the process that was used to change the permissions should be reversed. This could have been through the Windows Support Tools ADSI Edit console (adsiedit.msc). + +The dsHeuristics option is used. This is addressed in check V-8555 in the AD Forest STIG.This applies to domain controllers. It is NA for other systems. + +Open "Command Prompt" (not elevated). + +Run "ldp.exe". + +From the "Connection menu", select "Bind". + +Clear the User, Password, and Domain fields. + +Select "Simple bind" for the Bind type and click "OK". + +Confirmation of anonymous access will be displayed at the end: + +res = ldap_simple_bind_s +Authenticated as: 'NT AUTHORITY\ANONYMOUS LOGON' + +From the "Browse" menu, select "Search". + +In the Search dialog, enter the DN of the domain naming context (generally something like "dc=disaost,dc=mil") in the Base DN field. + +Clear the Attributes field and select "Run". + +Error messages should display related to Bind and user not authenticated. + +If attribute data is displayed, anonymous access is enabled to the domain naming context and this is a finding. + +The following network controls allow the finding severity to be downgraded to a CAT II since these measures lower the risk associated with anonymous access. + +Network hardware ports at the site are subject to 802.1x authentication or MAC address restrictions. + +Premise firewall or host restrictions prevent access to ports 389, 636, 3268, and 3269 from client hosts not explicitly identified by domain (.mil) or IP address.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>WN16-DC-000160The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.<VulnDiscussion>The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established session is in progress, the more time an attacker has to hijack the session, implement a means to passively intercept data, or compromise any protections on client access. For example, if an attacker gains control of a client computer, an existing (already authenticated) session with the directory server could allow access to the directory. The lack of confidentiality protection in LDAP-based sessions increases exposure to this vulnerability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88039V-73387CCI-001133Configure the directory service to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. + +Open an elevated "Command prompt" (run as administrator). + +Enter "ntdsutil". + +At the "ntdsutil:" prompt, enter "LDAP policies". + +At the "ldap policy:" prompt, enter "connections". + +At the "server connections:" prompt, enter "connect to server [host-name]" (where [host-name] is the computer name of the domain controller). + +At the "server connections:" prompt, enter "q". + +At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300". + +Enter "Commit Changes" to save. + +Enter "Show values" to verify changes. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.This applies to domain controllers. It is NA for other systems. + +Open an elevated "Command Prompt" (run as administrator). + +Enter "ntdsutil". + +At the "ntdsutil:" prompt, enter "LDAP policies". + +At the "ldap policy:" prompt, enter "connections". + +At the "server connections:" prompt, enter "connect to server [host-name]" +(where [host-name] is the computer name of the domain controller). + +At the "server connections:" prompt, enter "q". + +At the "ldap policy:" prompt, enter "show values". + +If the value for MaxConnIdleTime is greater than "300" (5 minutes) or is not specified, this is a finding. + +Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit. + +Alternately, Dsquery can be used to display MaxConnIdleTime: + +Open "Command Prompt (Admin)". +Enter the following command (on a single line). + +dsquery * "cn=Default Query Policy,cn=Query-Policies,cn=Directory Service, cn=Windows NT,cn=Services,cn=Configuration,dc=[forest-name]" -attr LDAPAdminLimits + +The quotes are required and dc=[forest-name] is the fully qualified LDAP name of the domain being reviewed (e.g., dc=disaost,dc=mil). + +If the results do not specify a "MaxConnIdleTime" or it has a value greater than "300" (5 minutes), this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000170Active Directory Group Policy objects must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes Group Policy objects. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73389SV-88041CCI-000172CCI-002234Configure the audit settings for Group Policy objects to include the following. + +This can be done at the Policy level in Active Directory to apply to all group policies. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Select "Advanced Features" from the "View" Menu. + +Navigate to [Domain] >> System >> Policies in the left panel. + +Right click "Policies", select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button. + +Select the "Auditing" tab. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit ObjectsThis applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for all Group Policy objects. + +Open "Group Policy Management" (available from various menus or run "gpmc.msc"). + +Navigate to "Group Policy Objects" in the domain being reviewed (Forest >> Domains >> Domain). + +For each Group Policy object: + +Select the Group Policy object item in the left pane. + +Select the "Delegation" tab in the right pane. + +Select the "Advanced" button. + +Select the "Advanced" button again and then the "Auditing" tab. + +If the audit settings for any Group Policy object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Applies to - This object and all descendant objects or Descendant groupPolicyContainer objects + +The three Success types listed below are defaults inherited from the Parent Object. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. + +Type - Success +Principal - Everyone +Access - Special (Permissions: Write all properties, Modify permissions; Properties: all "Write" type selected) +Inherited from - Parent Object +Applies to - Descendant groupPolicyContainer objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - blank (Permissions: none selected; Properties: one instance - Write gPLink, one instance - Write gPOptions) +Inherited from - Parent Object +Applies to - Descendant Organization Unit ObjectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000180The Active Directory Domain object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73391SV-88043CCI-002234CCI-000172Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the domain name and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for Domain object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner.)This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the Domain object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the domain name and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the Domain object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - None +Applies to - Special + +Type - Success +Principal - Domain Users +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Administrators +Access - All extended rights +Inherited from - None +Applies to - This object only + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: Write all properties, Modify permissions, Modify owner)SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000190The Active Directory Infrastructure object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Infrastructure object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73393SV-88045CCI-000172CCI-002234Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the "Infrastructure" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for Infrastructure object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for Infrastructure object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the domain being reviewed in the left pane. + +Right-click the "Infrastructure" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the Infrastructure object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +(Access - Special = Permissions: Write all properties, All extended rights, Change infrastructure master) + +Two instances with the following summary information will be listed. +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000200The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the Domain Controller OU object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88047V-73395CCI-002234CCI-000172Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the "Domain Controllers OU" under the domain being reviewed in the left pane. + +Right-click the "Domain Controllers OU" object and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for Domain Controllers OU object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsThis applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the Domain Controller OU object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select the "Domain Controllers OU" under the domain being reviewed in the left pane. + +Right-click the "Domain Controllers OU" object and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the Domain Controllers OU object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object and all descendant objects + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Permissions: all create, delete and modify permissions) + +Type - Success +Principal - Everyone +Access - Write all properties +Inherited from - None +Applies to - This object and all descendant objects + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000210The Active Directory AdminSDHolder object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the AdminSDHolder object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73397SV-88049CCI-000172CCI-002234Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select "System" under the domain being reviewed in the left pane. + +Right-click the "AdminSDHolder" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for AdminSDHolder object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsThis applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the "AdminSDHolder" object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select "System" under the domain being reviewed in the left pane. + +Right-click the "AdminSDHolder" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the "AdminSDHolder" object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None +Applies to - This object only + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None +Applies to - This object only +(Access - Special = Write all properties, Modify permissions, Modify owner) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain) +Applies to - Descendant Organizational Unit objectsSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000220The Active Directory RID Manager$ object must be configured with proper audit settings.<VulnDiscussion>When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data without generating any tracking data. The impact of missing audit data is related to the type of object. A failure to capture audit data for objects used by identification, authentication, or authorization functions could degrade or eliminate the ability to track changes to access policy for systems or data. + +For Active Directory (AD), there are a number of critical object types in the domain naming context of the AD database for which auditing is essential. This includes the RID Manager$ object. Because changes to these objects can significantly impact access controls or the availability of systems, the absence of auditing data makes it impossible to identify the source of changes that impact the confidentiality, integrity, and availability of data and systems throughout an AD domain. The lack of proper auditing can result in insufficient forensic evidence needed to investigate an incident and prosecute the intruder. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73399SV-88051CCI-002234CCI-000172Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select "System" under the domain being reviewed in the left pane. + +Right-click the "RID Manager$" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +Configure the audit settings for RID Manager$ object to include the following. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)This applies to domain controllers. It is NA for other systems. + +Review the auditing configuration for the "RID Manager$" object. + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Ensure "Advanced Features" is selected in the "View" menu. + +Select "System" under the domain being reviewed in the left pane. + +Right-click the "RID Manager$" object in the right pane and select "Properties". + +Select the "Security" tab. + +Select the "Advanced" button and then the "Auditing" tab. + +If the audit settings on the "RID Manager$" object are not at least as inclusive as those below, this is a finding. + +Type - Fail +Principal - Everyone +Access - Full Control +Inherited from - None + +The success types listed below are defaults. Where Special is listed in the summary screens for Access, detailed Permissions are provided for reference. Various Properties selections may also exist by default. + +Type - Success +Principal - Everyone +Access - Special +Inherited from - None + (Access - Special = Write all properties, All extended rights, Change RID master) + +Two instances with the following summary information will be listed. + +Type - Success +Principal - Everyone +Access - (blank) +Inherited from - (CN of domain)SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>WN16-DC-000230Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Computer Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling computer accounts. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88069V-73417CCI-000172CCI-000018CCI-001403CCI-001404CCI-002130CCI-001405Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Computer Account Management" with "Success" selected.This applies to domain controllers. It is NA for other systems. + +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +Account Management >> Computer Account Management - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000240Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Access records events related to users accessing an Active Directory object. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88087V-73435CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Success" selected.This applies to domain controllers. It is NA for other systems. + +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Access - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000250Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Access records events related to users accessing an Active Directory object. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88089V-73437CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Access" with "Failure" selected.This applies to domain controllers. It is NA for other systems. + +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Access - FailureSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000260Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73439SV-88091CCI-000172CCI-002234Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Success" selected.This applies to domain controllers. It is NA for other systems. + +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Changes - SuccessSRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>WN16-DC-000270Windows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Directory Service Changes records events related to changes made to objects in Active Directory Domain Services. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73441SV-88093CCI-002234CCI-000172Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> DS Access >> "Directory Service Changes" with "Failure" selected.This applies to domain controllers. It is NA for other systems. + +Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN16-SO-000050) for the detailed auditing subcategories to be effective. + +Use the AuditPol tool to review the current Audit Policy configuration: + +Open an elevated "Command Prompt" (run as administrator). + +Enter "AuditPol /get /category:*". + +Compare the AuditPol settings with the following. + +If the system does not audit the following, this is a finding. + +DS Access >> Directory Service Changes - FailureSRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN16-DC-000280Domain controllers must have a PKI server certificate.<VulnDiscussion>Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain controller cannot be verified. Domain controllers must have a server certificate to establish authenticity as part of PKI authentications in the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73611SV-88275CCI-000185Obtain a server certificate for the domain controller.This applies to domain controllers. It is NA for other systems. + +Run "MMC". + +Select "Add/Remove Snap-in" from the "File" menu. + +Select "Certificates" in the left pane and click the "Add >" button. + +Select "Computer Account" and click "Next". + +Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". + +Click "OK". + +Select and expand the Certificates (Local Computer) entry in the left pane. + +Select and expand the Personal entry in the left pane. + +Select the Certificates entry in the left pane. + +If no certificate for the domain controller exists in the right pane, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN16-DC-000290Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).<VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions. The use of multiple CAs from separate PKI implementations results in interoperability issues. If servers and clients do not have a common set of root CA certificates, they are not able to authenticate each other.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73613SV-88277CCI-000185Obtain a server certificate for the domain controller issued by the DoD PKI or an approved ECA.This applies to domain controllers. It is NA for other systems. + +Run "MMC". + +Select "Add/Remove Snap-in" from the "File" menu. + +Select "Certificates" in the left pane and click the "Add >" button. + +Select "Computer Account" and click "Next". + +Select the appropriate option for "Select the computer you want this snap-in to manage" and click "Finish". + +Click "OK". + +Select and expand the Certificates (Local Computer) entry in the left pane. + +Select and expand the Personal entry in the left pane. + +Select the Certificates entry in the left pane. + +In the right pane, examine the "Issued By" field for the certificate to determine the issuing CA. + +If the "Issued By" field of the PKI certificate being used by the domain controller does not indicate the issuing CA is part of the DoD PKI or an approved ECA, this is a finding. + +If the certificates in use are issued by a CA authorized by the Component's CIO, this is a CAT II finding. + +There are multiple sources from which lists of valid DoD CAs and approved ECAs can be obtained: + +The Global Directory Service (GDS) website provides an online source. The address for this site is https://crl.gds.disa.mil. + +DoD Public Key Enablement (PKE) Engineering Support maintains the InstallRoot utility to manage DoD supported root certificates on Windows computers, which includes a list of authorized CAs. The utility package can be downloaded from the PKI and PKE Tools page on IASE: + +http://iase.disa.mil/pki-pke/function_pages/tools.htmlSRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN16-DC-000300PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).<VulnDiscussion>A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper practices, the certificates issued by a CA have limited value in authentication functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73615SV-88279CCI-000185Map user accounts to PKI certificates using the appropriate User Principal Name (UPN) for the network. See PKE documentation for details.This applies to domain controllers. It is NA for other systems. + +Review user account mappings to PKI certificates. + +Open "Windows PowerShell". + +Enter "Get-ADUser -Filter * | FT Name, UserPrincipalName, Enabled". + +Exclude disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. + +If the User Principal Name (UPN) is not in the format of an individual's identifier for the certificate type and for the appropriate domain suffix, this is a finding. + +For standard NIPRNet certificates the individual's identifier is in the format of an Electronic Data Interchange - Personnel Identifier (EDI-PI). + +Alt Tokens and other certificates may use a different UPN format than the EDI-PI which vary by organization. Verified these with the organization. + +NIPRNet Example: +Name - User Principal Name +User1 - 1234567890@mil + +See PKE documentation for other network domain suffixes. + +If the mappings are to certificates issued by a CA authorized by the Component's CIO, this is a CAT II finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>WN16-DC-000310Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.<VulnDiscussion>Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of the username and password for authentication. + +Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73617SV-88281CCI-000765CCI-000766CCI-000767CCI-000768CCI-001948Configure all user accounts, including administrator accounts, in Active Directory to enable the option "Smart card is required for interactive logon". + +Run "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): + +Select the OU where the user accounts are located. (By default this is the Users node; however, accounts may be under other organization-defined OUs.) + +Right-click the user account and select "Properties". + +Select the "Account" tab. + +Check "Smart card is required for interactive logon" in the "Account Options" area.This applies to domain controllers. It is NA for other systems. + +Open "PowerShell". + +Enter the following: + +"Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name" +("DistinguishedName" may be substituted for "Name" for more detailed output.) + +If any user accounts, including administrators, are listed, this is a finding. + +Alternately: + +To view sample accounts in "Active Directory Users and Computers" (available from various menus or run "dsa.msc"): + +Select the Organizational Unit (OU) where the user accounts are located. (By default, this is the Users node; however, accounts may be under other organization-defined OUs.) + +Right-click the sample user account and select "Properties". + +Select the "Account" tab. + +If any user accounts, including administrators, do not have "Smart card is required for interactive logon" checked in the "Account Options" area, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-DC-000320Domain controllers must require LDAP access signing.<VulnDiscussion>Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. In the case of an LDAP server, this means that an attacker could cause a client to make decisions based on false records from the LDAP directory. The risk of an attacker pulling this off can be decreased by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for Internet Protocol (IP) traffic, can make all types of man-in-the-middle attacks extremely difficult. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88293V-73629CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: LDAP server signing requirements" to "Require signing".This applies to domain controllers. It is NA for other systems. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ + +Value Name: LDAPServerIntegrity + +Value Type: REG_DWORD +Value: 0x00000002 (2)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-DC-000330Domain controllers must be configured to allow reset of machine account passwords.<VulnDiscussion>Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords are weak or compromised, the inability to change them may leave these computers vulnerable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88295V-73631CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain controller: Refuse machine account password changes" to "Disabled".This applies to domain controllers. It is NA for other systems. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RefusePasswordChange + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-DC-000340The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and +Enterprise Domain Controllers groups on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Access this computer from the network" right may access resources on the system, and this right must be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73731SV-88395CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: + +- Administrators +- Authenticated Users +- Enterprise Domain ControllersThis applies to domain controllers. It is NA for other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" right, this is a finding. + +- Administrators +- Authenticated Users +- Enterprise Domain Controllers + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. + +S-1-5-32-544 (Administrators) +S-1-5-11 (Authenticated Users) +S-1-5-9 (Enterprise Domain Controllers) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000350The Add workstations to domain user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Add workstations to domain" right may add computers to a domain. This could result in unapproved or incorrectly configured systems being added to a domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88401V-73737CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Add workstations to domain" to include only the following accounts or groups: + +- AdministratorsThis applies to domain controllers. It is NA for other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Add workstations to domain" right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeMachineAccountPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-DC-000360The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Allow log on through Remote Desktop Services" user right can access a system through Remote Desktop.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88405V-73741CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to include only the following accounts or groups: + +- AdministratorsThis applies to domain controllers, it is NA for other systems. + +Verify the effective setting in Local Group Policy Editor. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on through Remote Desktop Services" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeRemoteInteractiveLogonRight" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-DC-000370The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88421V-73757CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: + +- Guests GroupThis applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding. + +- Guests Group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. + +S-1-5-32-546 (Guests)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-DC-000380The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. + +The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88425V-73761CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: + +- Guests GroupThis applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. + +- Guests Group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SID(s) are not defined for the "SeDenyBatchLogonRight" user right, this is a finding. + +S-1-5-32-546 (Guests)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-DC-000390The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on as a service" user right defines accounts that are denied logon as a service. + +Incorrect configurations could prevent services from starting and result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73765SV-88429CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include no entries (blank).This applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are defined for the "Deny log on as a service" user right, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeDenyServiceLogonRight" user right, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-DC-000400The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73769SV-88433CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: + +- Guests GroupThis applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding. + +- Guests Group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SID(s) are not defined for the "SeDenyInteractiveLogonRight" user right, this is a finding. + +S-1-5-32-546 (Guests)SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>WN16-DC-000410The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88437V-73773CCI-002314Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: + +- Guests GroupThis applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding. + +- Guests Group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SID(s) are not defined for the "SeDenyRemoteInteractiveLogonRight" user right, this is a finding. + +S-1-5-32-546 (Guests)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-DC-000420The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88441V-73777CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to include only the following accounts or groups: + +- AdministratorsThis applies to domain controllers. A separate version applies to other systems. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeEnableDelegationPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-DC-000430The password for the krbtgt account on a domain must be reset at least every 180 days.<VulnDiscussion>The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domain is created and the password is typically not changed. If the krbtgt account is compromised, attackers can create valid Kerberos Ticket Granting Tickets (TGT). + +The password must be changed twice to effectively remove the password history.Changing once, waiting for replication to complete and the amount of time equal to or greater than the maximum Kerberos ticket lifetime, and changing again reduces the risk of issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-91779SV-101881CCI-000366Reset the password for the krbtgt account a least every 180 days. The password must be changed twice to effectively remove the password history. Changing once, waiting for replication to complete and changing again reduces the risk of issues. Changing twice in rapid succession forces clients to re-authenticate (including application services) but is desired if a compromise is suspected. + +PowerShell scripts are available to accomplish this such as at the following link: +https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51 + +Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). + +Select "Advanced Features" in the "View" menu if not previously selected. + +Select the "Users" node. + +Right click on the krbtgt account and select "Reset password". + +Enter a password that meets password complexity requirements. + +Clear the "User must change password at next logon" check box. + +The system will automatically change this to a system generated complex password.This requirement is applicable to domain controllers; it is NA for other systems. + +Open "Windows PowerShell". + +Enter "Get-ADUser krbtgt -Property PasswordLastSet". + +If the "PasswordLastSet" date is more than 180 days old, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-MS-000010Only administrators responsible for the member server or standalone system must have Administrator rights on the system.<VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. + +System administrators must log on to systems using only accounts with the minimum level of authority necessary. + +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (see V-36433 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks. + +Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-87873V-73221CCI-002235Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. + +For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. + +Remove any standard user accounts.This applies to member servers and standalone systems. A separate version applies to domain controllers. + +Open "Computer Management". + +Navigate to "Groups" under "Local Users and Groups". + +Review the local "Administrators" group. + +Only administrator groups or accounts responsible for administration of the system may be members of the group. + +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. + +Standard user accounts must not be members of the local Administrator group. + +If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. + +If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-MS-000020Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.<VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. + +With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88147V-73495CCI-001084Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". + +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.This applies to member servers. For domain controllers and standalone systems, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: LocalAccountTokenFilterPolicy + +Type: REG_DWORD +Value: 0x00000000 (0) + +This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to "1" may be required.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>WN16-MS-000030Local users on domain-joined computers must not be enumerated.<VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88187V-73533CCI-000381Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Enumerate local users on domain-joined computers" to "Disabled".This applies to member servers. For domain controllers and standalone systems, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ + +Value Name: EnumerateLocalUsers + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000379-GPOS-00164<GroupDescription></GroupDescription>WN16-MS-000040Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.<VulnDiscussion>Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88203V-73541CCI-001967Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> "Restrict Unauthenticated RPC clients" to "Enabled" with "Authenticated" selected.This applies to member servers and standalone systems, It is NA for domain controllers. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ + +Value Name: RestrictRemoteClients + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-MS-000050Caching of logon credentials must be limited.<VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73651SV-88315CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less.This applies to member servers. For domain controllers and standalone systems, this is NA. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-MS-000120Windows Server 2016 must be running Credential Guard on domain-joined member servers.<VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73515SV-88167CCI-000366Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". + +A Microsoft article on Credential Guard system requirement can be found at the following link: + +https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements + +Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that should be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: + +The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected affected servers. This is to include a strict password change requirement (60 days or less). +…. +Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions should be supplied. +…. +Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected affected servers. +…. +Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. +…. +Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. +…. +The overall number of vulnerabilities that are unmitigated on the network/servers. +For domain controllers and standalone systems, this is NA. + +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. + +Open "PowerShell" with elevated privileges (run as administrator). + +Enter the following: + +"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" + +If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. + +Alternately: + +Run "System Information". + +Under "System Summary", verify the following: + +If "Device Guard Security Services Running" does not list "Credential Guard", this is finding. + +The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ + +Value Name: LsaCfgFlags +Value Type: REG_DWORD +Value: 0x00000001 (1) (Enabled with UEFI lock) + +A Microsoft article on Credential Guard system requirement can be found at the following link: + +https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirementsSRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-MS-000310Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.<VulnDiscussion>The Windows Security Account Manager (SAM) stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88341V-73677CCI-002235Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM". +Select "Edit Security" to configure the "Security descriptor:". + +Add "Administrators" in "Group or user names:" if it is not already listed (this is the default). + +Select "Administrators" in "Group or user names:". + +Select "Allow" for "Remote Access" in "Permissions for "Administrators". + +Click "OK". + +The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced.This applies to member servers and standalone systems; it is NA for domain controllers. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictRemoteSAM + +Value Type: REG_SZ +Value: O:BAG:BAD:(A;;RC;;;BA)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-MS-000340The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Access this computer from the network" user right may access resources on the system, and this right must be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73733SV-88397CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: + +- Administrators +- Authenticated UsersThis applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding. + +- Administrators +- Authenticated Users + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. + +S-1-5-32-544 (Administrators) +S-1-5-11 (Authenticated Users) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-MS-000370The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny access to this computer from the network" user right defines the accounts that are prevented from logging on from the network. + +In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. + +Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73759SV-88423CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: + +Domain Systems Only: +- Enterprise Admins group +- Domain Admins group +- "Local account and member of Administrators group" or "Local account" (see Note below) + +All Systems: +- Guests group + +Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.This applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny access to this computer from the network" user right, this is a finding. + +Domain Systems Only: +- Enterprise Admins group +- Domain Admins group +- "Local account and member of Administrators group" or "Local account" (see Note below) + +All Systems: +- Guests group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SIDs are not defined for the "SeDenyNetworkLogonRight" user right, this is a finding. + +Domain Systems Only: +S-1-5-root domain-519 (Enterprise Admins) +S-1-5-domain-512 (Domain Admins) +S-1-5-114 ("Local account and member of Administrators group") or S-1-5-113 ("Local account") + +All Systems: +S-1-5-32-546 (Guests) + +Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-MS-000380The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on as a batch job" user right defines accounts that are prevented from logging on to the system as a batch job, such as Task Scheduler. + +In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. + +The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73763SV-88427CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: + +Domain Systems Only: +- Enterprise Admins Group +- Domain Admins Group + +All Systems: +- Guests GroupThis applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a batch job" user right, this is a finding. + +Domain Systems Only: +- Enterprise Admins Group +- Domain Admins Group + +All Systems: +- Guests Group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SIDs are not defined for the "SeDenyBatchLogonRight" user right, this is a finding. + +Domain Systems Only: +S-1-5-root domain-519 (Enterprise Admins) +S-1-5-domain-512 (Domain Admins) + +All Systems: +S-1-5-32-546 (Guests)SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-MS-000390The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on as a service" user right defines accounts that are denied logon as a service. + +In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. + +Incorrect configurations could prevent services from starting and result in a DoS.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88431V-73767CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: + +Domain systems: +- Enterprise Admins Group +- Domain Admins GroupThis applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on as a service" user right on domain-joined systems, this is a finding. + +- Enterprise Admins Group +- Domain Admins Group + +If any accounts or groups are defined for the "Deny log on as a service" user right on non-domain-joined systems, this is a finding. +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SIDs are not defined for the "SeDenyServiceLogonRight" user right on domain-joined systems, this is a finding. + +S-1-5-root domain-519 (Enterprise Admins) +S-1-5-domain-512 (Domain Admins) + +If any SIDs are defined for the user right on non-domain-joined systems, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-MS-000400The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on locally" user right defines accounts that are prevented from logging on interactively. + +In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73771SV-88435CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: + +Domain Systems Only: +- Enterprise Admins Group +- Domain Admins Group + +All Systems: +- Guests GroupThis applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on locally" user right, this is a finding. + +Domain Systems Only: +- Enterprise Admins Group +- Domain Admins Group + +All Systems: +- Guests Group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SIDs are not defined for the "SeDenyInteractiveLogonRight" user right, this is a finding. + +Domain Systems Only: +S-1-5-root domain-519 (Enterprise Admins) +S-1-5-domain-512 (Domain Admins) + +All Systems: +S-1-5-32-546 (Guests)SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>WN16-MS-000410The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. + +In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. + +Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88439V-73775CCI-002314Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: + +Domain Systems Only: +- Enterprise Admins group +- Domain Admins group +- Local account (see Note below) + +All Systems: +- Guests group + +Note: "Local account" is referring to the Windows built-in security group.This applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding. + +Domain Systems Only: +- Enterprise Admins group +- Domain Admins group +- Local account (see Note below) + +All Systems: +- Guests group + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If the following SIDs are not defined for the "SeDenyRemoteInteractiveLogonRight" user right, this is a finding. + +Domain Systems Only: +S-1-5-root domain-519 (Enterprise Admins) +S-1-5-domain-512 (Domain Admins) +S-1-5-113 ("Local account") + +All Systems: +S-1-5-32-546 (Guests) + +Note: "Local account" is referring to the Windows built-in security group.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-MS-000420The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73779SV-88443CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).This applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeEnableDelegationPrivilege" user right, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN16-PK-000010The DoD Root CA certificates must be installed in the Trusted Root Store.<VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88269V-73605CCI-002470CCI-000185Install the DoD Root CA certificates: + +DoD Root CA 2 +DoD Root CA 3 +DoD Root CA 4 +DoD Root CA 5 + +The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. + +Open "Windows PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter + +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is finding. + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +NotAfter: 12/5/2029 + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB +NotAfter: 12/30/2029 + +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 +NotAfter: 7/25/2032 + +Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B +NotAfter: 6/14/2041 + +Alternately, use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates" and click "Add". + +Select "Computer account" and click "Next". + +Select "Local computer: (the computer this console is running on)" and click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". + +For each of the DoD Root CA certificates noted below: + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +DoD Root CA 2 +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +Valid to: Wednesday, December 5, 2029 + +DoD Root CA 3 +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB +Valid to: Sunday, December 30, 2029 + +DoD Root CA 4 +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 +Valid to: Sunday, July 25, 2032 + +DoD Root CA 5 +Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B +Valid to: Friday, June 14, 2041SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN16-PK-000020The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88271V-73607CCI-000185CCI-002470Install the DoD Interoperability Root CA cross-certificates on unclassified systems. + +Issued To - Issued By - Thumbprint +DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 +DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 + + +The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.Verify the DoD Interoperability cross-certificates are installed on unclassified systems as Untrusted Certificates. + +Run "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter + +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 +NotAfter: 1/22/2022 7:22:56 AM + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +NotAfter: 8/26/2022 6:25:51 AM + +Alternately use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates", click "Add". + +Select "Computer account", click "Next". + +Select "Local computer: (the computer this console is running on)", click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA…" under "Issued To" and "DoD Interoperability Root CA…" under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 +Valid to: Saturday, January 22, 2022 + +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +Valid to: Friday, August 26, 2022 +SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>WN16-PK-000030The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.<VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73609SV-88273CCI-002470CCI-000185Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. + +Issued To - Issued By - Thumbprint +DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 + +The certificates can be installed using the InstallRoot tool. The tool and user guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files.Verify the US DoD CCEB Interoperability Root CA cross-certificate is installed on unclassified systems as an Untrusted Certificate. + +Run "PowerShell" as an administrator. + +Execute the following command: + +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + +If the following certificate "Subject", "Issuer", and "Thumbprint", information is not displayed, this is a finding. + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +NotAfter: 8/26/2022 + +Alternately use the Certificates MMC snap-in: + +Run "MMC". + +Select "File", "Add/Remove Snap-in". + +Select "Certificates", click "Add". + +Select "Computer account", click "Next". + +Select "Local computer: (the computer this console is running on)", click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "US DoD CCEB Interoperability Root CA …" under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +Valid: Friday, August 26, 2022 +SRG-OS-000121-GPOS-00062<GroupDescription></GroupDescription>WN16-SO-000010Windows Server 2016 built-in guest account must be disabled.<VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73809SV-88475CCI-000804Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "EnableGuestAccount" equals "1" in the file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000020Local accounts with blank passwords must be restricted to prevent access from the network.<VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88285V-73621CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: LimitBlankPasswordUse + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000030Windows Server 2016 built-in administrator account must be renamed.<VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88287V-73623CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. + +If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "NewAdministratorName" is not something other than "Administrator" in the file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000040Windows Server 2016 built-in guest account must be renamed.<VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73625SV-88289CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. + +If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "NewGuestName" is not something other than "Guest" in the file, this is a finding.SRG-OS-000062-GPOS-00031<GroupDescription></GroupDescription>WN16-SO-000050Audit policy using subcategories must be enabled.<VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88291V-73627CCI-000169Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: SCENoApplyLegacyAuditPolicy + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000080The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88297V-73633CCI-002421CCI-002418Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireSignOrSeal + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000090The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88299V-73635CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SealSecureChannel + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000100The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.<VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88301V-73637CCI-002421CCI-002418Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: SignSecureChannel + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000379-GPOS-00164<GroupDescription></GroupDescription>WN16-SO-000110The computer account password must not be prevented from being reset.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73639SV-88303CCI-001967Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: DisablePasswordChange + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000120The maximum age for machine account passwords must be configured to 30 days or less.<VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88305V-73641CCI-000366This is the default configuration for this setting (30 days). + +Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding "0", which is unacceptable).This is the default configuration for this setting (30 days). + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: MaximumPasswordAge + +Value Type: REG_DWORD +Value: 0x0000001e (30) (or less, but not 0)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000130Windows Server 2016 must be configured to require a strong session key.<VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88307V-73643CCI-002421CCI-002418Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ + +Value Name: RequireStrongKey + +Value Type: REG_DWORD +Value: 0x00000001 (1) + +This setting may prevent a system from being joined to a domain if not configured consistently between systems.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>WN16-SO-000140The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73645SV-88309CCI-000057Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: InactivityTimeoutSecs + +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled)SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>WN16-SO-000150The required legal notice must be configured to display before console logon.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73647SV-88311CCI-000050CCI-000048CCI-001384CCI-001387CCI-001388CCI-001385CCI-001386Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeText + +Value Type: REG_SZ +Value: See message text below + +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>WN16-SO-000160The Windows dialog box title for the legal banner must be configured with the appropriate text.<VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73649SV-88313CCI-000048CCI-001386CCI-001387CCI-001388CCI-001384CCI-001385Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. + +If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN16-SO-000150.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: LegalNoticeCaption + +Value Type: REG_SZ +Value: See message title options below + +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. + +If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN16-SO-000150. + +Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000180The Smart Card removal option must be configured to Force Logoff or Lock Workstation.<VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88473V-73807CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: scremoveoption + +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) + +If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000190The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88317V-73653CCI-002421CCI-002418Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000200The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88319V-73655CCI-002421CCI-002418Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>WN16-SO-000210Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.<VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88321V-73657CCI-000197Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ + +Value Name: EnablePlainTextPassword + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000230The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73661SV-88325CCI-002418CCI-002421Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RequireSecuritySignature + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>WN16-SO-000240The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.<VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73663SV-88327CCI-002421CCI-002418Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: EnableSecuritySignature + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000250Anonymous SID/Name translation must not be allowed.<VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73665SV-88329CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. + +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas SecurityPolicy /CFG C:\Path\FileName.Txt + +If "LSAAnonymousNameLookup" equals "1" in the file, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000260Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.<VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73667SV-88331CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymousSAM + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN16-SO-000270Anonymous enumeration of shares must not be allowed.<VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88333V-73669CCI-001090Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000290Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.<VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88337V-73673CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let everyone permissions apply to anonymous users" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: EveryoneIncludesAnonymous + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>WN16-SO-000300Anonymous access to Named Pipes and Shares must be restricted.<VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88339V-73675CCI-001090Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ + +Value Name: RestrictNullSessAccess + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000320Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.<VulnDiscussion>Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88343V-73679CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ + +Value Name: UseMachineId + +Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000330NTLM must be prevented from falling back to a Null session.<VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88345V-73681CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ + +Value Name: allownullsessionfallback + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000340PKU2U authentication using online identities must be prevented.<VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88347V-73683CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ + +Value Name: AllowOnlineID + +Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>WN16-SO-000350Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.<VulnDiscussion>Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. + +Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73685SV-88349CCI-000803Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: + +AES128_HMAC_SHA1 +AES256_HMAC_SHA1 +Future encryption types + +Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ + +Value Name: SupportedEncryptionTypes + +Value Type: REG_DWORD +Value: 0x7ffffff8 (2147483640)SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>WN16-SO-000360Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.<VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88351V-73687CCI-000196Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: NoLMHash + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000380The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.<VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88355V-73691CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: LmCompatibilityLevel + +Value Type: REG_DWORD +Value: 0x00000005 (5)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000390Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.<VulnDiscussion>This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88357V-73693CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ + +Value Name: LDAPClientIntegrity + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000400Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88359V-73695CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinClientSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000410Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.<VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88361V-73697CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200)SRG-OS-000067-GPOS-00035<GroupDescription></GroupDescription>WN16-SO-000420Users must be required to enter a password to access private keys stored on the computer.<VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. + +The cornerstone of the PKI is the private key used to encrypt or digitally sign information. + +If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. + +Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73699SV-88363CCI-000186Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ + +Value Name: ForceKeyProtection + +Type: REG_DWORD +Value: 0x00000002 (2)SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>WN16-SO-000430Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.<VulnDiscussion>This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88365V-73701CCI-000068CCI-002450Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ + +Value Name: Enabled + +Value Type: REG_DWORD +Value: 0x00000001 (1) + +Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-SO-000450The default permissions of global system objects must be strengthened.<VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73705SV-88369CCI-000366Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)" to "Enabled".If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ + +Value Name: ProtectionMode + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN16-SO-000460User Account Control approval mode for the built-in Administrator must be enabled.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88371V-73707CCI-002038Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: FilterAdministratorToken + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-SO-000470UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88373V-73709CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-SO-000480User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88375V-73711CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". + +The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable.UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 0x00000002 (2) (Prompt for consent on the secure desktop) +0x00000001 (1) (Prompt for credentials on the secure desktop)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN16-SO-000490User Account Control must automatically deny standard user requests for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73713SV-88377CCI-002038Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorUser + +Value Type: REG_DWORD +Value: 0x00000000 (0)SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-SO-000500User Account Control must be configured to detect application installations and prompt for elevation.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73715SV-88379CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-SO-000510User Account Control must only elevate UIAccess applications that are installed in secure locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73717SV-88381CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000373-GPOS-00157<GroupDescription></GroupDescription>WN16-SO-000520User Account Control must run all administrators in Admin Approval Mode, enabling UAC.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73719SV-88383CCI-002038Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableLUA + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>WN16-SO-000530User Account Control must virtualize file and registry write failures to per-user locations.<VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88385V-73721CCI-001084Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2016 versus Server with Desktop Experience) as well as Nano Server. + +If the following registry value does not exist or is not configured as specified, this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableVirtualization + +Value Type: REG_DWORD +Value: 0x00000001 (1)SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>WN16-UC-000030Zone information must be preserved when saving attachments.<VulnDiscussion>Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88391V-73727CCI-000366The default behavior is for Windows to mark file attachments with their zone information. + +If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled".The default behavior is for Windows to mark file attachments with their zone information. + +If the registry Value Name below does not exist, this is not a finding. + +If it exists and is configured with a value of "2", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation + +Value Type: REG_DWORD +Value: 0x00000002 (2) (or if the Value Name does not exist)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000010The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88393V-73729CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeTrustedCredManAccessPrivilege" user right, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000030The Act as part of the operating system user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that the user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88399V-73735CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups (to include administrators), are granted the "Act as part of the operating system" user right, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeTcbPrivilege" user right, this is a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). + +Passwords for accounts with this user right must be protected as highly privileged accounts.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>WN16-UR-000050The Allow log on locally user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88403V-73739CCI-000213Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000070The Back up files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88407V-73743CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000080The Create a pagefile user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88409V-73745CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeCreatePagefilePrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000100The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88413V-73749CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: + +- Administrators +- Service +- Local Service +- Network ServiceVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding. + +- Administrators +- Service +- Local Service +- Network Service + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeCreateGlobalPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) +S-1-5-6 (Service) +S-1-5-19 (Local Service) +S-1-5-20 (Network Service) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000110The Create permanent shared objects user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88415V-73751CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeCreatePermanentPrivilege" user right, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000120The Create symbolic links user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Create symbolic links" user right can create pointers to other objects, which could expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88417V-73753CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to include only the following accounts or groups: + +- Administrators + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines".Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeCreateSymbolicLinkPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +Systems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000130The Debug programs user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88419V-73755CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Debug programs" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeDebugPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). + +Passwords for application accounts with this user right must be protected as highly privileged accounts.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000200The Force shutdown from a remote system user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system, which could result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88445V-73781CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeRemoteShutdownPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000210The Generate security audits user right must only be assigned to Local Service and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Generate security audits" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88447V-73783CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to include only the following accounts or groups: + +- Local Service +- Network ServiceVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding. + +- Local Service +- Network Service + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeAuditPrivilege" user right, this is a finding. + +S-1-5-19 (Local Service) +S-1-5-20 (Network Service) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000220The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Impersonate a client after authentication" user right allows a program to impersonate another user or account to run on their behalf. An attacker could use this to elevate privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73785SV-88449CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: + +- Administrators +- Service +- Local Service +- Network ServiceVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Impersonate a client after authentication" user right, this is a finding. + +- Administrators +- Service +- Local Service +- Network Service + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) +S-1-5-6 (Service) +S-1-5-19 (Local Service) +S-1-5-20 (Network Service) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000230The Increase scheduling priority user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Increase scheduling priority" user right can change a scheduling priority, causing performance issues or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73787SV-88451CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Increase scheduling priority" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeIncreaseBasePriorityPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000240The Load and unload device drivers user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Load and unload device drivers" user right allows a user to load device drivers dynamically on a system. This could be used by an attacker to install malicious code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73789SV-88453CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Load and unload device drivers" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeLoadDriverPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000250The Lock pages in memory user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73791SV-88455CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Lock pages in memory" user right, this is a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeLockMemoryPrivilege" user right, this is a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>WN16-UR-000260The Manage auditing and security log user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000337-GPOS-00129</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73793SV-88457CCI-000162CCI-000163CCI-000171CCI-000164CCI-001914Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeSecurityPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000270The Modify firmware environment values user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Modify firmware environment values" user right can change hardware configuration environment variables. This could result in hardware failures or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73795SV-88459CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Modify firmware environment values" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeSystemEnvironmentPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000280The Perform volume maintenance tasks user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. This could be used to delete volumes, resulting in data loss or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205V-73797SV-88461CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Perform volume maintenance tasks" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeManageVolumePrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000290The Profile single process user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Profile single process" user right can monitor non-system processes performance. An attacker could use this to identify processes to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88463V-73799CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Profile single process" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeProfileSingleProcessPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators)SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000090The Create a token object user right must not be assigned to any groups or accounts.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88411V-73747CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank).Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups are granted the "Create a token object" user right, this is a finding. + +If an application requires this user right, this would not be a finding. + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs are granted the "SeCreateTokenPrivilege" user right, this is a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). + +Passwords for application accounts with this user right must be protected as highly privileged accounts.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000300The Restore files and directories user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to overwrite more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88465V-73801CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Restore files and directories" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeRestorePrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070).SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>WN16-UR-000310The Take ownership of files or other objects user right must only be assigned to the Administrators group.<VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Windows Server 2016DISADPMS TargetWindows Server 20164205SV-88467V-73803CCI-002235Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups: + +- AdministratorsVerify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Take ownership of files or other objects" user right, this is a finding. + +- Administrators + +For server core installations, run the following command: + +Secedit /Export /Areas User_Rights /cfg c:\path\filename.txt + +Review the text file. + +If any SIDs other than the following are granted the "SeTakeOwnershipPrivilege" user right, this is a finding. + +S-1-5-32-544 (Administrators) + +If an application requires this user right, this would not be a finding. + +Vendor documentation must support the requirement for having the user right. + +The requirement must be documented with the ISSO. + +The application account must meet requirements for application account passwords, such as length (WN16-00-000060) and required frequency of changes (WN16-00-000070). diff --git a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V1R3_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V1R3_Manual-xccdf.log deleted file mode 100644 index 9c67c2609..000000000 --- a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V1R3_Manual-xccdf.log +++ /dev/null @@ -1,19 +0,0 @@ -V-92993::*::'' -V-93029::*::'' -V-93031::Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)::Administrators - all selected except Full control - This folder only -V-93031::execute-::execute - -V-93031::(RX) - Read & execute::'' -V-93063::- Administrators::- Administrators`r`nSystems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding. -V-93175::\SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ -V-93217::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct AntiVirus service information'} -V-93257::0x00000000 (0) (Security), 0x00000001 (1) (Basic)::0 or 1 -V-93259::0x00000000 (0) - No peering (HTTP Only)::0, 1, 2, 99 or 100 -V-93261::0x00000000 (0) (or if the Value Name does not exist)::0 -V-93263::0x00000000 (0) (or if the Value Name does not exist)::0 -V-93267::0x00000000 (0) (or if the Value Name does not exist)::0 -V-93311::0x00000002 (2) (or if the Value Name does not exist)::2 -V-93413::0x00000000 (0) (or if the Value Name does not exist)::0 -V-93463::*::HardCodedRule(AccountPolicyRule)@{DscResource = 'AccountPolicy'; PolicyName = 'Minimum password length'; PolicyValue = $null; OrganizationValueTestString = "'{0}' -ge '14'"} -V-93523::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2 -V-93563::0x00000000 (0) (or if the Value Name does not exist)::0 -V-93571::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Firewall service information'} diff --git a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V2R1_Manual-xccdf.log new file mode 100644 index 000000000..9fb62204d --- /dev/null +++ b/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V2R1_Manual-xccdf.log @@ -0,0 +1,20 @@ +V-205664::*::'' +V-205739::*::'' +V-205740::Administrators - Special - This folder only (Special = Basic Permissions: all selected except Full control)::Administrators - all selected except Full control - This folder only +V-205740::execute-::execute - +V-205740::(RX) - Read & execute::'' +V-205756::- Administrators::- Administrators`r`nSystems that have the Hyper-V role will also have "Virtual Machines" given this user right (this may be displayed as "NT Virtual Machine\Virtual Machines", SID S-1-5-83-0). This is not a finding. +V-205639::\SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\::\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ +V-205820::*::HardCodedRule(SecurityOptionRule)@{DscResource = 'SecurityOption'; OptionName = 'Domain_controller_LDAP_server_signing_requirements'; OptionValue = 'Require Signing'} +V-205850::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct AntiVirus service information'} +V-205869::0x00000000 (0) (Security), 0x00000001 (1) (Basic)::0 or 1 +V-205870::0x00000000 (0) - No peering (HTTP Only)::0, 1, 2, 99 or 100 +V-205871::0x00000000 (0) (or if the Value Name does not exist)::0 +V-205872::0x00000000 (0) (or if the Value Name does not exist)::0 +V-205874::0x00000000 (0) (or if the Value Name does not exist)::0 +V-205924::0x00000002 (2) (or if the Value Name does not exist)::2 +V-205693::0x00000000 (0) (or if the Value Name does not exist)::0 +V-205662::*::HardCodedRule(AccountPolicyRule)@{DscResource = 'AccountPolicy'; PolicyName = 'Minimum password length'; PolicyValue = $null; OrganizationValueTestString = "'{0}' -ge '14'"} +V-205717::0x00000002 (2) (Prompt for consent on the secure desktop)::1 or 2 +V-205830::0x00000000 (0) (or if the Value Name does not exist)::0 +V-214936::*::HardCodedRule(ServiceRule)@{DscResource = 'Service'; Ensure = 'Present'; ServiceName = $null; ServiceState = 'Running'; StartupType = $null; OrganizationValueTestString = 'ServiceName/StartupType is populated with correct Firewall service information'} diff --git a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V1R3_Manual-xccdf.xml b/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V2R1_Manual-xccdf.xml similarity index 62% rename from source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V1R3_Manual-xccdf.xml rename to source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V2R1_Manual-xccdf.xml index d15219fb6..9419f403f 100644 --- a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V1R3_Manual-xccdf.xml +++ b/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_DC_STIG_V2R1_Manual-xccdf.xml @@ -1,2966 +1,2796 @@  - - accepted - Windows Server 2019 Security Technical Implementation Guide + + accepted + Microsoft Windows Server 2019 Security Technical Implementation Guide This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + DISA STIG.DOD.MIL - Release: 3 Benchmark Date: 24 Jan 2020 - 1 + Release: 1 Benchmark Date: 13 Nov 2020 + 3.1.1.36225 + 1.10.0 + 2 I - Mission Critical Classified <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Sensitive <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Public <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Classified <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Sensitive <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Public <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Classified <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Sensitive <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Public <ProfileDescription></ProfileDescription> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - SRG-OS-000028-GPOS-00009 + + SRG-OS-000002-GPOS-00002 <GroupDescription></GroupDescription> - - WN19-SO-000120 - Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. - <VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. + + WN19-00-000300 + Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. + <VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. + +If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. + +To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000056 - CCI-000057 - CCI-000060 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-92975 + SV-103063 + CCI-000016 + Configure temporary user accounts to automatically expire within 72 hours. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Domain accounts can be configured with an account expiration date, under "Account" properties. -Value Name: InactivityTimeoutSecs +Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. -Value Type: REG_DWORD -Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled) +Delete any temporary user accounts that are no longer necessary. + + + + Review temporary user accounts for expiration dates. + +Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. + +Domain Controllers: + +Open "PowerShell". + +Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". + +If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding. + +Member servers and standalone systems: + +Open "Command Prompt". + +Run "Net user [username]", where [username] is the name of the temporary user account. + +If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. - - SRG-OS-000032-GPOS-00013 + + SRG-OS-000004-GPOS-00004 <GroupDescription></GroupDescription> - - WN19-AU-000190 - Windows Server 2019 must be configured to audit logon successes. + + WN19-AU-000100 + Windows Server 2019 must be configured to audit Account Management - Security Group Management successes. <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. +Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members. -Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000067 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected. - - - + V-92979 + SV-103067 + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-002130 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected. + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -2846,34 +2887,40 @@ Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. -Logon/Logoff >> Logon - Success +Account Management >> Security Group Management - Success - - SRG-OS-000032-GPOS-00013 + + SRG-OS-000004-GPOS-00004 <GroupDescription></GroupDescription> - - WN19-AU-000200 - Windows Server 2019 must be configured to audit logon failures. + + WN19-AU-000110 + Windows Server 2019 must be configured to audit Account Management - User Account Management successes. <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. -Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000067 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected. - - - + V-92981 + SV-103069 + CCI-000018 + CCI-001405 + CCI-001403 + CCI-001404 + CCI-000172 + CCI-002130 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected. + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -2886,254 +2933,236 @@ Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. -Logon/Logoff >> Logon - Failure +Account Management >> User Account Management - Success - - SRG-OS-000033-GPOS-00014 + + SRG-OS-000004-GPOS-00004 <GroupDescription></GroupDescription> - - WN19-CC-000370 - Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications. - <VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information. + + WN19-AU-000120 + Windows Server 2019 must be configured to audit Account Management - User Account Management failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. + +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000068 - CCI-001453 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103071 + V-92983 + CCI-000018 + CCI-000172 + CCI-001404 + CCI-001403 + CCI-001405 + CCI-002130 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: fEncryptRPCTraffic +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Type: REG_DWORD -Value: 0x00000001 (1) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Account Management >> User Account Management - Failure - - SRG-OS-000033-GPOS-00014 + + SRG-OS-000023-GPOS-00006 <GroupDescription></GroupDescription> - - WN19-CC-000380 - Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level. - <VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions. + + WN19-SO-000130 + Windows Server 2019 required legal notice must be configured to display before console logon. + <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. -Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000068 - CCI-001453 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: - -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ + SV-103235 + V-93147 + CCI-000048 + CCI-000050 + CCI-001386 + CCI-001387 + CCI-001388 + CCI-001384 + CCI-001385 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: -Value Name: MinEncryptionLevel +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. -Type: REG_DWORD -Value: 0x00000003 (3) - - - - - SRG-OS-000002-GPOS-00002 - <GroupDescription></GroupDescription> - - WN19-00-000300 - Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. - <VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. +By using this IS (which includes any device attached to this IS), you consent to the following conditions: -Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. +-At any time, the USG may inspect and seize data stored on this IS. -To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000016 - Configure temporary user accounts to automatically expire within 72 hours. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -Domain accounts can be configured with an account expiration date, under "Account" properties. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Delete any temporary user accounts that are no longer necessary. - - - - Review temporary user accounts for expiration dates. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Determine if temporary user accounts are used and identify any that exist. If none exist, this is NA. +Value Name: LegalNoticeText -Domain Controllers: +Value Type: REG_SZ +Value: See message text below -Open "PowerShell". +You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. -Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". +By using this IS (which includes any device attached to this IS), you consent to the following conditions: -If "AccountExpirationDate" has not been defined within 72 hours for any temporary user account, this is a finding. +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -Member servers and standalone systems: +-At any time, the USG may inspect and seize data stored on this IS. -Open "Command Prompt". +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -Run "Net user [username]", where [username] is the name of the temporary user account. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -If "Account expires" has not been defined within 72 hours for any temporary user account, this is a finding. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. - - SRG-OS-000123-GPOS-00064 + + SRG-OS-000023-GPOS-00006 <GroupDescription></GroupDescription> - - WN19-00-000310 - Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. - <VulnDiscussion>Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. - -Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. + + WN19-SO-000140 + Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text. + <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. -To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001682 - Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. - -Domain accounts can be configured with an account expiration date, under "Account" properties. - -Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. - - - - Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. + SV-103237 + V-93149 + CCI-000048 + CCI-001385 + CCI-001388 + CCI-001386 + CCI-001387 + CCI-001384 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. -If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. - -If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. - -Domain Controllers: - -Open "PowerShell". +If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000150. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. +Value Name: LegalNoticeCaption -Member servers and standalone systems: +Value Type: REG_SZ +Value: See message title options below -Open "Command Prompt". +"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. -Run "Net user [username]", where [username] is the name of the emergency account. +If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150. -If "Account expires" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. +Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required. - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000028-GPOS-00009 <GroupDescription></GroupDescription> - - WN19-AU-000100 - Windows Server 2019 must be configured to audit Account Management - Security Group Management successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security Group Management records events such as creating, deleting, or changing security groups, including changes in group members. + + WN19-SO-000120 + Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. + <VulnDiscussion>Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes and be password protected. This protects critical and sensitive data from exposure to unauthorized personnel with physical access to the computer. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Security Group Management" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + SV-103049 + V-92961 + CCI-000056 + CCI-000057 + CCI-000060 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Machine inactivity limit" to "900" seconds or less, excluding "0" which is effectively disabled. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -If the system does not audit the following, this is a finding. +Value Name: InactivityTimeoutSecs -Account Management >> Security Group Management - Success +Value Type: REG_DWORD +Value: 0x00000384 (900) (or less, excluding "0" which is effectively disabled) - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000032-GPOS-00013 <GroupDescription></GroupDescription> - - WN19-AU-000110 - Windows Server 2019 must be configured to audit Account Management - User Account Management successes. + + WN19-AU-000190 + Windows Server 2019 must be configured to audit logon successes. <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Success" selected. - - - + V-92967 + SV-103055 + CCI-000067 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Success" selected. + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3146,38 +3175,36 @@ Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. -Account Management >> User Account Management - Success +Logon/Logoff >> Logon - Success - - SRG-OS-000004-GPOS-00004 + + SRG-OS-000032-GPOS-00013 <GroupDescription></GroupDescription> - - WN19-AU-000120 - Windows Server 2019 must be configured to audit Account Management - User Account Management failures. + + WN19-AU-000200 + Windows Server 2019 must be configured to audit logon failures. <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -User Account Management records events such as creating, changing, deleting, renaming, disabling, or enabling user accounts. +Logon records user logons. If this is an interactive logon, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit User Account Management" with "Failure" selected. - - - + V-92969 + SV-103057 + CCI-000172 + CCI-000067 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logon" with "Failure" selected. + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. Use the "AuditPol" tool to review the current Audit Policy configuration: @@ -3190,8791 +3217,9550 @@ Compare the "AuditPol" settings with the following: If the system does not audit the following, this is a finding. -Account Management >> User Account Management - Failure +Logon/Logoff >> Logon - Failure - - SRG-OS-000240-GPOS-00090 + + SRG-OS-000033-GPOS-00014 <GroupDescription></GroupDescription> - - WN19-AU-000150 - Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Account Lockout events can be used to identify potentially malicious logon attempts. + + WN19-CC-000370 + Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications. + <VulnDiscussion>Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs when an intruder captures packets between a client and server and modifies them before allowing the packets to be exchanged. Usually the attacker will modify the information in the packets in an attempt to cause either the client or server to reveal sensitive information. -Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-001404 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103059 + V-92971 + CCI-000068 + CCI-001453 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Require secure RPC communication" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Use the "AuditPol" tool to review the current Audit Policy configuration: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Value Name: fEncryptRPCTraffic -Enter "AuditPol /get /category:*" +Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000033-GPOS-00014 + <GroupDescription></GroupDescription> + + WN19-CC-000380 + Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level. + <VulnDiscussion>Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions. -Compare the "AuditPol" settings with the following: +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103061 + V-92973 + CCI-000068 + CCI-001453 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Set client connection encryption level" to "Enabled" with "High Level" selected. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -Logon/Logoff >> Account Lockout - Success +Value Name: MinEncryptionLevel + +Type: REG_DWORD +Value: 0x00000003 (3) - - SRG-OS-000240-GPOS-00090 + + SRG-OS-000042-GPOS-00020 <GroupDescription></GroupDescription> - - WN19-AU-000160 - Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures. + + WN19-CC-000090 + Windows Server 2019 command line data must be included in process creation events. <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Account Lockout events can be used to identify potentially malicious logon attempts. - -Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-001404 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + SV-103261 + V-93173 + CCI-000135 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ -If the system does not audit the following, this is a finding. +Value Name: ProcessCreationIncludeCmdLine_Enabled -Logon/Logoff >> Account Lockout - Failure +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000042-GPOS-00020 <GroupDescription></GroupDescription> - - WN19-00-000130 - Windows Server 2019 local volumes must use a format that supports NTFS attributes. - <VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using a file system that supports NTFS attributes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000460 + Windows Server 2019 PowerShell script block logging must be enabled. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Format volumes to use NTFS or ReFS. - - - - Open "Computer Management". - -Select "Disk Management" under "Storage". + V-93175 + SV-103263 + CCI-000135 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -For each local volume, if the file system does not indicate "NTFS", this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ -"ReFS" (resilient file system) is also acceptable and would not be a finding. +Value Name: EnableScriptBlockLogging -This does not apply to system partitions such the Recovery and EFI System Partition. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000080-GPOS-00048 + + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - WN19-00-000180 - Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares. - <VulnDiscussion>Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000030 + Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the permissions on shared printers to restrict standard users to only have Print permissions. - - - - Open "Printers & scanners" in "Settings". - -If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) - -For each printer: - -Select the printer and "Manage". + SV-103277 + V-93189 + CCI-000162 + CCI-000163 + CCI-000164 + Configure the permissions on the Application event log file (Application.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: -Select "Printer Properties". +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control -Select the "Sharing" tab. +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. -If "Share this printer" is checked, select the "Security" tab. +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". + + + + Navigate to the Application event log file. -If any standard user accounts or groups have permissions other than "Print", this is a finding. +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. -The default is for the "Everyone" group to be given "Print" permission. +If the permissions for the "Application.evtx" file are not as restrictive as the default permissions listed below, this is a finding: -"All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts. +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control - - SRG-OS-000312-GPOS-00122 + + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - WN19-00-000140 - Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. - <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. - -The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + + WN19-AU-000040 + Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied. -Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002165 - Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). - -Default Permissions -C:\ -Type - "Allow" for all -Inherited from - "None" for all + SV-103279 + V-93191 + CCI-000164 + CCI-000162 + CCI-000163 + Configure the permissions on the Security event log file (Security.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: -Principal - Access - Applies to +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control -SYSTEM - Full control - This folder, subfolders, and files -Administrators - Full control - This folder, subfolders, and files -Users - Read & execute - This folder, subfolders, and files -Users - Create folders/append data - This folder and subfolders -Users - Create files/write data - Subfolders only -CREATOR OWNER - Full Control - Subfolders and files only - - - - The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. -Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. Individual accounts must not be used to assign permissions. +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". + + + + Navigate to the Security event log file. -If permissions are not as restrictive as the default permissions listed below, this is a finding. +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. -Viewing in File Explorer: +If the permissions for the "Security.evtx" file are not as restrictive as the default permissions listed below, this is a finding: -View the Properties of the system drive's root directory. +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + + + + + SRG-OS-000057-GPOS-00027 + <GroupDescription></GroupDescription> + + WN19-AU-000050 + Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied. -Select the "Security" tab, and the "Advanced" button. +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103281 + V-93193 + CCI-000163 + CCI-000164 + CCI-000162 + Configure the permissions on the System event log file (System.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: -Default permissions: -C:\ -Type - "Allow" for all -Inherited from - "None" for all +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control -Principal - Access - Applies to +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. -SYSTEM - Full control - This folder, subfolders, and files -Administrators - Full control - This folder, subfolders, and files -Users - Read & execute - This folder, subfolders, and files -Users - Create folders/append data - This folder and subfolders -Users - Create files/write data - Subfolders only -CREATOR OWNER - Full Control - Subfolders and files only +If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". + + + + Navigate to the System event log file. -Alternately, use icacls: +The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. -Open "Command Prompt (Admin)". +If the permissions for the "System.evtx" file are not as restrictive as the default permissions listed below, this is a finding: -Enter "icacls" followed by the directory: +Eventlog - Full Control +SYSTEM - Full Control +Administrators - Full Control + + + + + SRG-OS-000062-GPOS-00031 + <GroupDescription></GroupDescription> + + WN19-SO-000050 + Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93151 + SV-103239 + CCI-000169 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -"icacls c:\" +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -The following results should be displayed: +Value Name: SCENoApplyLegacyAuditPolicy -c:\ -NT AUTHORITY\SYSTEM:(OI)(CI)(F) -BUILTIN\Administrators:(OI)(CI)(F) -BUILTIN\Users:(OI)(CI)(RX) -BUILTIN\Users:(CI)(AD) -BUILTIN\Users:(CI)(IO)(WD) -CREATOR OWNER:(OI)(CI)(IO)(F) -Successfully processed 1 files; Failed processing 0 files +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000312-GPOS-00122 + + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - - WN19-00-000150 - Windows Server 2019 permissions for program file directories must conform to minimum requirements. - <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. - -The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + + WN19-PK-000010 + Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. + <VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs. -Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002165 - Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). + SV-103573 + V-93487 + CCI-000185 + CCI-002470 + Install the DoD Root CA certificates: -Default permissions: -\Program Files and \Program Files (x86) -Type - "Allow" for all -Inherited from - "None" for all +DoD Root CA 2 +DoD Root CA 3 +DoD Root CA 4 +DoD Root CA 5 -Principal - Access - Applies to +The InstallRoot tool is available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. + + + + The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders, and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files -ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files - - - - The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). +Open "Windows PowerShell" as an administrator. -Review the permissions for the program file directories (Program Files and Program Files [x86]). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. +Execute the following command: -If permissions are not as restrictive as the default permissions listed below, this is a finding. +Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter -Viewing in File Explorer: +If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. -For each folder, view the Properties. +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +NotAfter: 12/5/2029 -Select the "Security" tab, and the "Advanced" button. +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB +NotAfter: 12/30/2029 -Default permissions: -\Program Files and \Program Files (x86) -Type - "Allow" for all -Inherited from - "None" for all +Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 +NotAfter: 7/25/2032 -Principal - Access - Applies to +Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B +NotAfter: 6/14/2041 -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files -ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +Alternately, use the Certificates MMC snap-in: -Alternately, use icacls: +Run "MMC". -Open a Command prompt (admin). +Select "File", "Add/Remove Snap-in". -Enter "icacls" followed by the directory: +Select "Certificates" and click "Add". -'icacls "c:\program files"' -'icacls "c:\program files (x86)"' +Select "Computer account" and click "Next". -The following results should be displayed for each when entered: +Select "Local computer: (the computer this console is running on)" and click "Finish". -c:\program files (c:\program files (x86)) -NT SERVICE\TrustedInstaller:(F) -NT SERVICE\TrustedInstaller:(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(M) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -BUILTIN\Users:(RX) -BUILTIN\Users:(OI)(CI)(IO)(GR,GE) -CREATOR OWNER:(OI)(CI)(IO)(F) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -Successfully processed 1 files; Failed processing 0 files +Click "OK". + +Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". + +For each of the DoD Root CA certificates noted below: + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +DoD Root CA 2 +Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 +Valid to: Wednesday, December 5, 2029 + +DoD Root CA 3 +Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB +Valid to: Sunday, December 30, 2029 + +DoD Root CA 4 +Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 +Valid to: Sunday, July 25, 2032 + +DoD Root CA 5 +Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B +Valid to: Friday, June 14, 2041 - - SRG-OS-000312-GPOS-00122 + + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - - WN19-00-000160 - Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. - <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. - -The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + + WN19-PK-000020 + Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. + <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. -Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002165 - Maintain the default file ACLs and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). + V-93489 + SV-103575 + CCI-000185 + CCI-002470 + Install the DoD Interoperability Root CA cross-certificates on unclassified systems. -Default permissions: -Type - "Allow" for all -Inherited from - "None" for all +Issued To - Issued By - Thumbprint -Principal - Access - Applies to +DoD Root CA 2 - DoD Interoperability Root CA 1 - A8C27332CCB4CA49554CE55D34062A7DD2850C02 -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders, and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files -ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files - - - - The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). +DoD Root CA 3 - DoD Interoperability Root CA 2 - AC06108CA348CC03B53795C64BF84403C1DBD341 -Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. +Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. -If permissions are not as restrictive as the default permissions listed below, this is a finding: +The FBCA Cross-Certificate Remover Tool and User Guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. + + + + This is applicable to unclassified systems. It is NA for others. -Viewing in File Explorer: +Open "PowerShell" as an administrator. -For each folder, view the Properties. +Execute the following command: -Select the "Security" tab and the "Advanced" button. +Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter -Default permissions: -\Windows -Type - "Allow" for all -Inherited from - "None" for all +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. -Principal - Access - Applies to +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 +NotAfter: 1/22/2022 10:22:56 AM -TrustedInstaller - Full control - This folder and subfolders -SYSTEM - Modify - This folder only -SYSTEM - Full control - Subfolders and files only -Administrators - Modify - This folder only -Administrators - Full control - Subfolders and files only -Users - Read & execute - This folder, subfolders, and files -CREATOR OWNER - Full control - Subfolders and files only -ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files -ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +NotAfter: 8/26/2022 9:25:51 AM -Alternately, use icacls: +Alternately, use the Certificates MMC snap-in: -Open a Command prompt (admin). +Run "MMC". -Enter "icacls" followed by the directory: +Select "File", "Add/Remove Snap-in". -"icacls c:\windows" +Select "Certificates" and click "Add". -The following results should be displayed for each when entered: +Select "Computer account" and click "Next". -c:\windows -NT SERVICE\TrustedInstaller:(F) -NT SERVICE\TrustedInstaller:(CI)(IO)(F) -NT AUTHORITY\SYSTEM:(M) -NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) -BUILTIN\Administrators:(M) -BUILTIN\Administrators:(OI)(CI)(IO)(F) -BUILTIN\Users:(RX) -BUILTIN\Users:(OI)(CI)(IO)(GR,GE) -CREATOR OWNER:(OI)(CI)(IO)(F) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) -APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) -Successfully processed 1 files; Failed processing 0 files +Select "Local computer: (the computer this console is running on)" and click "Finish". + +Click "OK". + +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". + +For each certificate with "DoD Root CA..." under "Issued To" and "DoD Interoperability Root CA..." under "Issued By": + +Right-click on the certificate and select "Open". + +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To: DoD Root CA 2 +Issued By: DoD Interoperability Root CA 1 +Thumbprint: A8C27332CCB4CA49554CE55D34062A7DD2850C02 +Valid to: Friday, August 26, 2022 + +Issued To: DoD Root CA 3 +Issued By: DoD Interoperability Root CA 2 +Thumbprint: AC06108CA348CC03B53795C64BF84403C1DBD341 +Valid to: Saturday, January 22, 2022 - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000066-GPOS-00034 <GroupDescription></GroupDescription> - - WN19-00-000170 - Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. - <VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-PK-000030 + Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. + <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. + V-93491 + SV-103577 + CCI-000185 + CCI-002470 + Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. -The default permissions of the higher-level keys are noted below. +Issued To - Issued By - Thumbprint -HKEY_LOCAL_MACHINE\SECURITY +DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -SYSTEM - Full Control - This key and subkeys -Administrators - Special - This key and subkeys +DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E -HKEY_LOCAL_MACHINE\SOFTWARE +Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - This key and subkeys -ALL APPLICATION PACKAGES - Read - This key and subkeys +The FBCA Cross-Certificate Remover Tool and User Guide are available on Cyber Exchange at https://cyber.mil/pki-pke/tools-configuration-files. + + + + This is applicable to unclassified systems. It is NA for others. -HKEY_LOCAL_MACHINE\SYSTEM +Open "PowerShell" as an administrator. -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - Subkeys only -ALL APPLICATION PACKAGES - Read - This key and subkeys +Execute the following command: -Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID. -S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 - - - - Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. +Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter -If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. +If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. -If permissions are not as restrictive as the default permissions listed below, this is a finding: +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +NotAfter: 8/26/2022 9:07:50 AM -Run "Regedit". +Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US +Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US +Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E +NotAfter: 9/27/2019 -Right-click on the registry areas noted below. +Alternately, use the Certificates MMC snap-in: -Select "Permissions" and the "Advanced" button. +Run "MMC". -HKEY_LOCAL_MACHINE\SECURITY +Select "File", "Add/Remove Snap-in". -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -SYSTEM - Full Control - This key and subkeys -Administrators - Special - This key and subkeys +Select "Certificates" and click "Add". -HKEY_LOCAL_MACHINE\SOFTWARE +Select "Computer account" and click "Next". -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - This key and subkeys -ALL APPLICATION PACKAGES - Read - This key and subkeys +Select "Local computer: (the computer this console is running on)" and click "Finish". -HKEY_LOCAL_MACHINE\SYSTEM +Click "OK". -Type - "Allow" for all -Inherited from - "None" for all -Principal - Access - Applies to -Users - Read - This key and subkeys -Administrators - Full Control - This key and subkeys -SYSTEM - Full Control - This key and subkeys -CREATOR OWNER - Full Control - Subkeys only -ALL APPLICATION PACKAGES - Read - This key and subkeys +Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". -Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. +For each certificate with "US DoD CCEB Interoperability Root CA ..." under "Issued By": -Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding. -S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 +Right-click on the certificate and select "Open". -If the defaults have not been changed, these are not a finding. +Select the "Details" Tab. + +Scroll to the bottom and select "Thumbprint". + +If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. + +Issued To: DoD Root CA 3 +Issued By: US DoD CCEB Interoperability Root CA 2 +Thumbprint: AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 +Valid to: Friday, August 26, 2022 + +Issued To: DoD Root CA 3 +Issued By: US DoD CCEB Interoperability Root CA 2 +Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E +Valid: Friday, September 27, 2019 - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000067-GPOS-00035 <GroupDescription></GroupDescription> - - WN19-MS-000010 - Windows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system. - <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. + + WN19-SO-000350 + Windows Server 2019 users must be required to enter a password to access private keys stored on the computer. + <VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. -System administrators must log on to systems using only accounts with the minimum level of authority necessary. +The cornerstone of the PKI is the private key used to encrypt or digitally sign information. -For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (see V-36433 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks. +If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. -Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. - -For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. - -Remove any standard user accounts. - - - - This applies to member servers and standalone systems. A separate version applies to domain controllers. - -Open "Computer Management". - -Navigate to "Groups" under "Local Users and Groups". - -Review the local "Administrators" group. - -Only administrator groups or accounts responsible for administration of the system may be members of the group. - -For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. + SV-103579 + V-93493 + CCI-000186 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Standard user accounts must not be members of the local Administrator group. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ -If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. +Value Name: ForceKeyProtection -If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. +Type: REG_DWORD +Value: 0x00000002 (2) - - SRG-OS-000324-GPOS-00125 + + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - - WN19-MS-000060 - Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems. - <VulnDiscussion>The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000300 + Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords. + <VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM". -Select "Edit Security" to configure the "Security descriptor:". - -Add "Administrators" in "Group or user names:" if it is not already listed (this is the default). - -Select "Administrators" in "Group or user names:". - -Select "Allow" for "Remote Access" in "Permissions for "Administrators". - -Click "OK". - -The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced. - - - - This applies to member servers and standalone systems; it is NA for domain controllers. - -If the following registry value does not exist or is not configured as specified, this is a finding: + V-93467 + SV-103553 + CCI-000196 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: RestrictRemoteSAM +Value Name: NoLMHash -Value Type: REG_SZ -Value: O:BAG:BAD:(A;;RC;;;BA) +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000074-GPOS-00042 <GroupDescription></GroupDescription> - - WN19-AU-000090 - Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000180 + Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. + <VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Other Account Management Events" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + V-93469 + SV-103555 + CCI-000197 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ -If the system does not audit the following, this is a finding: +Value Name: EnablePlainTextPassword -Account Management >> Other Account Management Events - Success +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - - WN19-AU-000140 - Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Process Creation records events related to the creation of a process and the source. + + WN19-00-000020 + Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days. + <VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103559 + V-93473 + CCI-000199 + Change the built-in Administrator account password at least every "60" days. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this. + + + + Review the password last set date for the built-in Administrator account. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Domain controllers: -Enter "AuditPol /get /category:*" +Open "PowerShell". -Compare the "AuditPol" settings with the following: +Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet". -If the system does not audit the following, this is a finding. +If the "PasswordLastSet" date is greater than "60" days old, this is a finding. -Detailed Tracking >> Process Creation - Success +Member servers and standalone systems: + +Open "Command Prompt". + +Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. + +(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) + +If the "PasswordLastSet" date is greater than "60" days old, this is a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - - WN19-AU-000260 - Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000210 + Windows Server 2019 passwords must be configured to expire. + <VulnDiscussion>Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103561 + V-93475 + CCI-000199 + Configure all enabled user account passwords to expire. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO. + + + + Review the password never expires status for enabled user accounts. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Open "PowerShell". -Enter "AuditPol /get /category:*" +Domain Controllers: -Compare the "AuditPol" settings with the following: +Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". -If the system does not audit the following, this is a finding. +Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. -Policy Change >> Audit Policy Change - Success +If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. + +Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). + +If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - - WN19-AU-000270 - Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Policy Change records events related to changes in audit policy. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000050 + Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. + <VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" - -Compare the "AuditPol" settings with the following: + V-93461 + SV-103547 + CCI-000205 + Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced. + + + + Determine if manually managed application/service accounts exist. If none exist, this is NA. -If the system does not audit the following, this is a finding. +Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. -Policy Change >> Audit Policy Change - Failure +If such a policy does not exist or has not been implemented, this is a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN19-AU-000280 - Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000130 + Windows Server 2019 local volumes must use a format that supports NTFS attributes. + <VulnDiscussion>The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, volumes must be formatted using a file system that supports NTFS attributes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + V-92991 + SV-103079 + CCI-000213 + Format volumes to use NTFS or ReFS. + + + + Open "Computer Management". -Use the "AuditPol" tool to review the current Audit Policy configuration: +Select "Disk Management" under "Storage". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" - -Compare the "AuditPol" settings with the following: +For each local volume, if the file system does not indicate "NTFS", this is a finding. -If the system does not audit the following, this is a finding. +"ReFS" (resilient file system) is also acceptable and would not be a finding. -Policy Change >> Authentication Policy Change - Success +This does not apply to system partitions such the Recovery and EFI System Partition. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - - WN19-AU-000290 - Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Authorization Policy Change records events related to changes in user rights, such as "Create a token object". - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000180 + Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares. + <VulnDiscussion>Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103081 + V-92993 + CCI-000213 + Configure the permissions on shared printers to restrict standard users to only have Print permissions. + + + + Open "Printers & scanners" in "Settings". -Use the "AuditPol" tool to review the current Audit Policy configuration: +If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +For each printer: -Enter "AuditPol /get /category:*" +Select the printer and "Manage". -Compare the "AuditPol" settings with the following: +Select "Printer Properties". -If the system does not audit the following, this is a finding. +Select the "Sharing" tab. -Policy Change >> Authorization Policy Change - Success +If "Share this printer" is checked, select the "Security" tab. + +If any standard user accounts or groups have permissions other than "Print", this is a finding. + +The default is for the "Everyone" group to be given "Print" permission. + +"All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000300 - Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000270 + Windows Server 2019 must have the roles and features required by the system documented. + <VulnDiscussion>Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + V-93381 + SV-103467 + CCI-000381 + Document the roles and features required for the system to operate. Uninstall any that are not required. + + + + Required roles and features will vary based on the function of the individual system. -Compare the "AuditPol" settings with the following: +Roles and features specifically required to be disabled per the STIG are identified in separate requirements. -If the system does not audit the following, this is a finding. +If the organization has not documented the roles and features required for the system(s), this is a finding. -Privilege Use >> Sensitive Privilege Use - Success +The PowerShell command "Get-WindowsFeature" will list all roles and features with an "Install State". - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000310 - Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000320 + Windows Server 2019 must not have the Fax Server role installed. + <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103469 + V-93383 + CCI-000381 + Uninstall the "Fax Server" role. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Start "Server Manager". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Select the server with the role. -Enter "AuditPol /get /category:*" +Scroll down to "ROLES AND FEATURES" in the right pane. -Compare the "AuditPol" settings with the following: +Select "Remove Roles and Features" from the drop-down "TASKS" list. -If the system does not audit the following, this is a finding. +Select the appropriate server on the "Server Selection" page and click "Next". -Privilege Use >> Sensitive Privilege Use - Failure +Deselect "Fax Server" on the "Roles" page. + +Click "Next" and "Remove" as prompted. + + + + Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq Fax". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000320 - Windows Server 2019 must be configured to audit System - IPsec Driver successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPsec Driver records events related to the IPsec Driver, such as dropped packets. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000340 + Windows Server 2019 must not have the Peer Name Resolution Protocol installed. + <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + V-93385 + SV-103471 + CCI-000381 + Uninstall the "Peer Name Resolution Protocol" feature. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Start "Server Manager". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Select the server with the feature. -Enter "AuditPol /get /category:*" +Scroll down to "ROLES AND FEATURES" in the right pane. -Compare the "AuditPol" settings with the following: +Select "Remove Roles and Features" from the drop-down "TASKS" list. -If the system does not audit the following, this is a finding. +Select the appropriate server on the "Server Selection" page and click "Next". -System >> IPsec Driver - Success +Deselect "Peer Name Resolution Protocol" on the "Features" page. + +Click "Next" and "Remove" as prompted. + + + + Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq PNRP". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000330 - Windows Server 2019 must be configured to audit System - IPsec Driver failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -IPsec Driver records events related to the IPsec Driver, such as dropped packets. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000350 + Windows Server 2019 must not have Simple TCP/IP Services installed. + <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + V-93387 + SV-103473 + CCI-000381 + Uninstall the "Simple TCP/IP Services" feature. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Start "Server Manager". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Select the server with the feature. -Enter "AuditPol /get /category:*" +Scroll down to "ROLES AND FEATURES" in the right pane. -Compare the "AuditPol" settings with the following: +Select "Remove Roles and Features" from the drop-down "TASKS" list. -If the system does not audit the following, this is a finding. +Select the appropriate server on the "Server Selection" page and click "Next". -System >> IPsec Driver - Failure +Deselect "Simple TCP/IP Services" on the "Features" page. + +Click "Next" and "Remove" as prompted. + + + + Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq Simple-TCPIP". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000340 - Windows Server 2019 must be configured to audit System - Other System Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000370 + Windows Server 2019 must not have the TFTP Client installed. + <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103475 + V-93389 + CCI-000381 + Uninstall the "TFTP Client" feature. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Start "Server Manager". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Select the server with the feature. -Enter "AuditPol /get /category:*" +Scroll down to "ROLES AND FEATURES" in the right pane. -Compare the "AuditPol" settings with the following: +Select "Remove Roles and Features" from the drop-down "TASKS" list. -If the system does not audit the following, this is a finding. +Select the appropriate server on the "Server Selection" page and click "Next". -System >> Other System Events - Success +Deselect "TFTP Client" on the "Features" page. + +Click "Next" and "Remove" as prompted. + + + + Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq TFTP-Client". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000350 - Windows Server 2019 must be configured to audit System - Other System Events failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000380 + Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed. + <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103477 + V-93391 + CCI-000381 + Uninstall the SMBv1 protocol. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Open "Windows PowerShell" with elevated privileges (run as administrator). -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Enter "Uninstall-WindowsFeature -Name FS-SMB1 -Restart". +(Omit the Restart parameter if an immediate restart of the system cannot be done.) -Enter "AuditPol /get /category:*" +Alternately: -Compare the "AuditPol" settings with the following: +Start "Server Manager". -If the system does not audit the following, this is a finding. +Select the server with the feature. -System >> Other System Events - Failure - - - - - SRG-OS-000327-GPOS-00127 - <GroupDescription></GroupDescription> - - WN19-AU-000360 - Windows Server 2019 must be configured to audit System - Security State Change successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +Scroll down to "ROLES AND FEATURES" in the right pane. -Security State Change records events related to changes in the security state, such as startup and shutdown of the system. +Select "Remove Roles and Features" from the drop-down "TASKS" list. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Select the appropriate server on the "Server Selection" page and click "Next". -Use the "AuditPol" tool to review the current Audit Policy configuration: +Deselect "SMB 1.0/CIFS File Sharing Support" on the "Features" page. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Click "Next" and "Remove" as prompted. + + + + Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method, however if WN19-00-000390 and WN19-00-000400 are configured, this is NA. -Enter "AuditPol /get /category:*" +Open "Windows PowerShell" with elevated privileges (run as administrator). -Compare the "AuditPol" settings with the following: +Enter "Get-WindowsFeature -Name FS-SMB1". -If the system does not audit the following, this is a finding. +If "Installed State" is "Installed", this is a finding. -System >> Security State Change - Success +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000370 - Windows Server 2019 must be configured to audit System - Security System Extension successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Security System Extension records events related to extension code being loaded by the security subsystem. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000390 + Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. + <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103479 + V-93393 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". -Use the "AuditPol" tool to review the current Audit Policy configuration: +The system must be restarted for the change to take effect. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA. -Enter "AuditPol /get /category:*" +If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ -If the system does not audit the following, this is a finding. +Value Name: SMB1 -System >> Security System Extension - Success +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000380 - Windows Server 2019 must be configured to audit System - System Integrity successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000400 + Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. + <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103481 + V-93395 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". -Use the "AuditPol" tool to review the current Audit Policy configuration: +The system must be restarted for the changes to take effect. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA. -Enter "AuditPol /get /category:*" +If the following registry value is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ -If the system does not audit the following, this is a finding. +Value Name: Start -System >> System Integrity - Success +Type: REG_DWORD +Value: 0x00000004 (4) - - SRG-OS-000327-GPOS-00127 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000390 - Windows Server 2019 must be configured to audit System - System Integrity failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -System Integrity records events related to violations of integrity to the security subsystem. - -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000410 + Windows Server 2019 must not have Windows PowerShell 2.0 installed. + <VulnDiscussion>Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-002234 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103483 + V-93397 + CCI-000381 + Uninstall the "Windows PowerShell 2.0 Engine". -Use the "AuditPol" tool to review the current Audit Policy configuration: +Start "Server Manager". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Select the server with the feature. -Enter "AuditPol /get /category:*" +Scroll down to "ROLES AND FEATURES" in the right pane. -Compare the "AuditPol" settings with the following: +Select "Remove Roles and Features" from the drop-down "TASKS" list. -If the system does not audit the following, this is a finding. +Select the appropriate server on the "Server Selection" page and click "Next". -System >> System Integrity - Failure +Deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell" on the "Features" page. + +Click "Next" and "Remove" as prompted. + + + + Open "PowerShell". + +Enter "Get-WindowsFeature | Where Name -eq PowerShell-v2". + +If "Installed State" is "Installed", this is a finding. + +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000023-GPOS-00006 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-SO-000130 - Windows Server 2019 required legal notice must be configured to display before console logon. - <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000010 + Windows Server 2019 must prevent the display of slide shows on the lock screen. + <VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000048 - CCI-000050 - CCI-001384 - CCI-001385 - CCI-001386 - CCI-001387 - CCI-001388 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following: - -You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + V-93399 + SV-103485 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled". + + + + Verify the registry value below. --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +If it does not exist or is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LegalNoticeText - -Value Type: REG_SZ -Value: See message text below - -You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. - -By using this IS (which includes any device attached to this IS), you consent to the following conditions: - --The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - --At any time, the USG may inspect and seize data stored on this IS. - --Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ --This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +Value Name: NoLockScreenSlideshow --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000023-GPOS-00006 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-SO-000140 - Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text. - <VulnDiscussion>Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. - -Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000020 + Windows Server 2019 must have WDigest Authentication disabled. + <VulnDiscussion>When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000048 - CCI-001384 - CCI-001385 - CCI-001386 - CCI-001387 - CCI-001388 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message title for users attempting to log on" to "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. + V-93401 + SV-103487 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". -If an organization-defined title is used, it can in no case contravene or modify the language of the message text required in WN19-SO-000150. - - - +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ - -Value Name: LegalNoticeCaption - -Value Type: REG_SZ -Value: See message title options below - -"DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ -If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN19-SO-000150. +Value Name: UseLogonCredential -Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required. +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000062-GPOS-00031 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-SO-000050 - Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -This setting allows administrators to enable more precise auditing capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000150 + Windows Server 2019 downloading print driver packages over HTTP must be turned off. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. + +This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000169 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled". - - - + V-93403 + SV-103489 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ -Value Name: SCENoApplyLegacyAuditPolicy +Value Name: DisableWebPnPDownload -Value Type: REG_DWORD +Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000070 - Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + + WN19-CC-000160 + Windows Server 2019 printing over HTTP must be turned off. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. -Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + SV-103491 + V-93405 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ -If the system does not audit the following, this is a finding. +Value Name: DisableHTTPPrinting -Account Logon >> Credential Validation - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000080 - Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000170 + Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen. + <VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + V-93407 + SV-103493 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled". + + + + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ -If the system does not audit the following, this is a finding. +Value Name: DontDisplayNetworkSelectionUI -Account Logon >> Credential Validation - Failure +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000474-GPOS-00219 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000130 - Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + + WN19-CC-000200 + Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. -Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + SV-103495 + V-93409 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Use the "AuditPol" tool to review the current Audit Policy configuration: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" - -Compare the "AuditPol" settings with the following: - -If the system does not audit the following, this is a finding. +Value Name: DisableInventory -Detailed Tracking >> Plug and Play Events - Success +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000170 - Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000300 + Windows Server 2019 Windows Defender SmartScreen must be enabled. + <VulnDiscussion>Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: + SV-103497 + V-93411 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows Defender SmartScreen" to "Enabled" with either option "Warn" or "Warn and prevent bypass" selected. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer. + + + + This is applicable to unclassified systems; for other systems, this is NA. -Enter "AuditPol /get /category:*" +If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ -If the system does not audit the following, this is a finding. +Value Name: EnableSmartScreen -Logon/Logoff >> Group Membership - Success +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000210 - Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Special Logon records special logons that have administrative privileges and can be used to elevate processes. - -Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000400 + Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP. + <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + V-93413 + SV-103499 + CCI-000381 + The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. -Use the "AuditPol" tool to review the current Audit Policy configuration: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled". + + + + The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +If the registry value name below does not exist, this is not a finding. -Enter "AuditPol /get /category:*" +If it exists and is configured with a value of "0", this is not a finding. -Compare the "AuditPol" settings with the following: +If it exists and is configured with a value of "1", this is a finding. -If the system does not audit the following, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ -Logon/Logoff >> Special Logon - Success +Value Name: AllowBasicAuthInClear + +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000220 - Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000410 + Windows Server 2019 must prevent Indexing of encrypted files. + <VulnDiscussion>Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + SV-103501 + V-93415 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ -If the system does not audit the following, this is a finding. +Value Name: AllowIndexingEncryptedStoresOrItems -Object Access >> Other Object Access Events - Success +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000470-GPOS-00214 + + SRG-OS-000095-GPOS-00049 <GroupDescription></GroupDescription> - - WN19-AU-000230 - Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-MS-000030 + Windows Server 2019 local users on domain-joined member servers must not be enumerated. + <VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). + V-93419 + SV-103505 + CCI-000381 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Enumerate local users on domain-joined computers" to "Disabled". + + + + This applies to member servers. For domain controllers and standalone systems, this is NA. -Enter "AuditPol /get /category:*" +If the following registry value does not exist or is not configured as specified, this is a finding: -Compare the "AuditPol" settings with the following: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ -If the system does not audit the following, this is a finding. +Value Name: EnumerateLocalUsers -Object Access >> Other Object Access Events - Failure +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000474-GPOS-00219 + + SRG-OS-000096-GPOS-00050 <GroupDescription></GroupDescription> - - WN19-AU-000240 - Windows Server 2019 must be configured to audit Object Access - Removable Storage successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000330 + Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization. + <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. - -Use the "AuditPol" tool to review the current Audit Policy configuration: - -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). - -Enter "AuditPol /get /category:*" + V-93421 + SV-103507 + CCI-000382 + Uninstall the "FTP Server" role. -Compare the "AuditPol" settings with the following: +Start "Server Manager". -If the system does not audit the following, this is a finding. +Select the server with the role. -Object Access >> Removable Storage - Success +Scroll down to "ROLES AND FEATURES" in the right pane. -Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. - - - - - SRG-OS-000474-GPOS-00219 - <GroupDescription></GroupDescription> - - WN19-AU-000250 - Windows Server 2019 must be configured to audit Object Access - Removable Storage failures. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +Select "Remove Roles and Features" from the drop-down "TASKS" list. -Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000172 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. +Select the appropriate server on the "Server Selection" page and click "Next". -Use the "AuditPol" tool to review the current Audit Policy configuration: +Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Click "Next" and "Remove" as prompted. + + + + If the server has the role of an FTP server, this is NA. -Enter "AuditPol /get /category:*" +Open "PowerShell". -Compare the "AuditPol" settings with the following: +Enter "Get-WindowsFeature | Where Name -eq Web-Ftp-Service". -If the system does not audit the following, this is a finding. +If "Installed State" is "Installed", this is a finding. -Object Access >> Removable Storage - Failure +An Installed State of "Available" or "Removed" is not a finding. -Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. +If the system has the role of an FTP server, this must be documented with the ISSO. - - SRG-OS-000472-GPOS-00217 + + SRG-OS-000096-GPOS-00050 <GroupDescription></GroupDescription> - - WN19-AU-000180 - Windows Server 2019 must be configured to audit logoff successes. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. - -Satisfies: SRG-OS-000472-GPOS-00217, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000360 + Windows Server 2019 must not have the Telnet Client installed. + <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000172 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected. - - - - Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. + V-93423 + SV-103509 + CCI-000382 + Uninstall the "Telnet Client" feature. -Use the "AuditPol" tool to review the current Audit Policy configuration: +Start "Server Manager". -Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). +Select the server with the feature. -Enter "AuditPol /get /category:*" +Scroll down to "ROLES AND FEATURES" in the right pane. -Compare the "AuditPol" settings with the following: +Select "Remove Roles and Features" from the drop-down "TASKS" list. -If the system does not audit the following, this is a finding. +Select the appropriate server on the "Server Selection" page and click "Next". -Logon/Logoff >> Logoff - Success - - - - - SRG-OS-000042-GPOS-00020 - <GroupDescription></GroupDescription> - - WN19-CC-000090 - Windows Server 2019 command line data must be included in process creation events. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. +Deselect "Telnet Client" on the "Features" page. -Enabling "Include command line data for process creation events" will record the command line information with the process creation events in the log. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000135 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Audit Process Creation >> "Include command line in process creation events" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Click "Next" and "Remove" as prompted. + + + + Open "PowerShell". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ +Enter "Get-WindowsFeature | Where Name -eq Telnet-Client". -Value Name: ProcessCreationIncludeCmdLine_Enabled +If "Installed State" is "Installed", this is a finding. -Value Type: REG_DWORD -Value: 0x00000001 (1) +An Installed State of "Available" or "Removed" is not a finding. - - SRG-OS-000042-GPOS-00020 + + SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> - - WN19-CC-000460 - Windows Server 2019 PowerShell script block logging must be enabled. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. - -Enabling PowerShell script block logging will record detailed information from the processing of PowerShell commands and scripts. This can provide additional detail when malware has run on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000070 + Windows Server 2019 shared user accounts must not be permitted. + <VulnDiscussion>Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000135 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows PowerShell >> "Turn on PowerShell Script Block Logging" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103523 + V-93437 + CCI-000764 + Remove unapproved shared accounts from the system. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\ Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ +Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. + + + + Determine whether any shared accounts exist. If no shared accounts exist, this is NA. -Value Name: EnableScriptBlockLogging +Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. -Value Type: REG_DWORD -Value: 0x00000001 (1) +If unapproved shared accounts exist, this is a finding. - - SRG-OS-000341-GPOS-00132 + + SRG-OS-000104-GPOS-00051 <GroupDescription></GroupDescription> - - WN19-CC-000270 - Windows Server 2019 Application event log size must be configured to 32768 KB or greater. - <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000200 + Windows Server 2019 accounts must require passwords. + <VulnDiscussion>The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001849 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. - - - - If the system is configured to write events directly to an audit server, this is NA. + SV-103525 + V-93439 + CCI-000764 + Configure all enabled accounts to require passwords. -If the following registry value does not exist or is not configured as specified, this is a finding: +The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account. + + + + Review the password required status for enabled user accounts. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ +Open "PowerShell". -Value Name: MaxSize +Domain Controllers: -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater) +Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". + +Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). + +If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. + +Member servers and standalone systems: + +Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. + +Exclude disabled accounts (e.g., DefaultAccount, Guest). + +If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding. - - SRG-OS-000341-GPOS-00132 + + SRG-OS-000118-GPOS-00060 <GroupDescription></GroupDescription> - - WN19-CC-000280 - Windows Server 2019 Security event log size must be configured to 196608 KB or greater. - <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000190 + Windows Server 2019 outdated or unused accounts must be removed or disabled. + <VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001849 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater. - - - - If the system is configured to write events directly to an audit server, this is NA. + SV-103543 + V-93457 + CCI-000795 + Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days. + + + + Open "Windows PowerShell". -If the following registry value does not exist or is not configured as specified, this is a finding: +Domain Controllers: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ +Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" -Value Name: MaxSize +This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. -Type: REG_DWORD -Value: 0x00030000 (196608) (or greater) +Member servers and standalone systems: + +Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) + +"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled +}" + +This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). +For example: User1 10/31/2015 5:49:56 AM True + +Review the list of accounts returned by the above queries to determine the finding validity for each account reported. + +Exclude the following accounts: + +- Built-in administrator account (Renamed, SID ending in 500) +- Built-in guest account (Renamed, Disabled, SID ending in 501) +- Application accounts + +If any enabled accounts have not been logged on to within the past 35 days, this is a finding. + +Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. - - SRG-OS-000341-GPOS-00132 + + SRG-OS-000120-GPOS-00061 <GroupDescription></GroupDescription> - - WN19-CC-000290 - Windows Server 2019 System event log size must be configured to 32768 KB or greater. - <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000290 + Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. + <VulnDiscussion>Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. + +Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001849 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. - - - - If the system is configured to write events directly to an audit server, this is NA. + V-93495 + SV-103581 + CCI-000803 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: -If the following registry value does not exist or is not configured as specified, this is a finding: +AES128_HMAC_SHA1 +AES256_HMAC_SHA1 +Future encryption types + +Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ -Value Name: MaxSize +Value Name: SupportedEncryptionTypes -Type: REG_DWORD -Value: 0x00008000 (32768) (or greater) +Value Type: REG_DWORD +Value: 0x7ffffff8 (2147483640) - - SRG-OS-000342-GPOS-00133 + + SRG-OS-000123-GPOS-00064 <GroupDescription></GroupDescription> - - WN19-AU-000010 - Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. - <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-001851 - Establish and implement a process for backing up log data to another system or media other than the system being audited. - - - - Determine if a process to back up log data to a different system or media than the system being audited has been implemented. + + WN19-00-000310 + Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. + <VulnDiscussion>Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. -If it has not, this is a finding. - - - - - SRG-OS-000479-GPOS-00224 - <GroupDescription></GroupDescription> - - WN19-AU-000020 - Windows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. - <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-001851 - Configure the system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. - - - - Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. +Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. -If they are not, this is a finding. - - - - - SRG-OS-000355-GPOS-00143 - <GroupDescription></GroupDescription> - - WN19-00-000440 - The Windows Server 2019 time service must synchronize with an appropriate DoD time source. - <VulnDiscussion>The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001891 - Configure the system to synchronize time with an appropriate DoD time source. + SV-103065 + V-92977 + CCI-001682 + Remove emergency administrator accounts after a crisis has been resolved or configure the accounts to automatically expire within 72 hours. -Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. +Domain accounts can be configured with an account expiration date, under "Account" properties. -If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DoD time server. +Local accounts can be configured to expire with the command "Net user [username] /expires:[mm/dd/yyyy]", where username is the name of the temporary user account. + + + + Determine if emergency administrator accounts are used and identify any that exist. If none exist, this is NA. -The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy. - - - - Review the Windows time service configuration. +If emergency administrator accounts cannot be configured with an expiration date due to an ongoing crisis, the accounts must be disabled or removed when the crisis is resolved. -Open an elevated "Command Prompt" (run as administrator). +If emergency administrator accounts have not been configured with an expiration date or have not been disabled or removed following the resolution of a crisis, this is a finding. -Enter "W32tm /query /configuration". +Domain Controllers: -Domain-joined systems (excluding the domain controller with the PDC emulator role): +Open "PowerShell". -If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding. +Enter "Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate". -Other systems: +If "AccountExpirationDate" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. -If systems are configured with a "Type" of "NTP", including standalone systems and the domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. +Member servers and standalone systems: -To determine the domain controller with the PDC Emulator role: +Open "Command Prompt". -Open "PowerShell". +Run "Net user [username]", where [username] is the name of the emergency account. -Enter "Get-ADDomain | FT PDCEmulator". +If "Account expires" has been defined and is not within 72 hours for an emergency administrator account, this is a finding. - - SRG-OS-000057-GPOS-00027 + + SRG-OS-000125-GPOS-00065 <GroupDescription></GroupDescription> - - WN19-AU-000030 - Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Application event log may be susceptible to tampering if proper permissions are not applied. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000470 + Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication. + <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000162 - CCI-000163 - CCI-000164 - Configure the permissions on the Application event log file (Application.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". - - - - Navigate to the Application event log file. + SV-103589 + V-93503 + CCI-000877 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ -If the permissions for the "Application.evtx" file are not as restrictive as the default permissions listed below, this is a finding: +Value Name: AllowBasic -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000057-GPOS-00027 + + SRG-OS-000125-GPOS-00065 <GroupDescription></GroupDescription> - - WN19-AU-000040 - Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The Security event log may disclose sensitive information or be susceptible to tampering if proper permissions are not applied. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000490 + Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication. + <VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000162 - CCI-000163 - CCI-000164 - Configure the permissions on the Security event log file (Security.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". - - - - Navigate to the Security event log file. + SV-103591 + V-93505 + CCI-000877 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ -If the permissions for the "Security.evtx" file are not as restrictive as the default permissions listed below, this is a finding: +Value Name: AllowDigest -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000057-GPOS-00027 + + SRG-OS-000125-GPOS-00065 <GroupDescription></GroupDescription> - - WN19-AU-000050 - Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. - <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. The System event log may be susceptible to tampering if proper permissions are not applied. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000500 + Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication. + <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000162 - CCI-000163 - CCI-000164 - Configure the permissions on the System event log file (System.evtx) to prevent access by non-privileged accounts. The default permissions listed below satisfy this requirement: - -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control - -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. - -If the location of the logs has been changed, when adding Eventlog to the permissions, it must be entered as "NT Service\Eventlog". - - - - Navigate to the System event log file. + SV-103593 + V-93507 + CCI-000877 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -The default location is the "%SystemRoot%\System32\winevt\Logs" folder. However, the logs may have been moved to another folder. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -If the permissions for the "System.evtx" file are not as restrictive as the default permissions listed below, this is a finding: +Value Name: AllowBasic -Eventlog - Full Control -SYSTEM - Full Control -Administrators - Full Control +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000257-GPOS-00098 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-AU-000060 - Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. - <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. - -Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools. - -Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000240 + Windows Server 2019 administrator accounts must not be enumerated during elevation. + <VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001494 - CCI-001495 - Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement: - -TrustedInstaller - Full Control -Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute - -The default location is the "%SystemRoot%\System32" folder. - - - - Navigate to "%SystemRoot%\System32". - -View the permissions on "Eventvwr.exe". + V-93517 + SV-103603 + CCI-001084 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ -The default permissions below satisfy this requirement: +Value Name: EnumerateAdministrators -TrustedInstaller - Full Control -Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000362-GPOS-00149 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-CC-000420 - Windows Server 2019 must prevent users from changing installation options. - <VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-MS-000020 + Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers. + <VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. + +With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001812 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93519 + SV-103605 + CCI-001084 + Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ +This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + This applies to member servers. For domain controllers and standalone systems, this is NA. -Value Name: EnableUserControl +If the following registry value does not exist or is not configured as specified, this is a finding: -Type: REG_DWORD -Value: 0x00000000 (0) +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +Value Name: LocalAccountTokenFilterPolicy + +Type: REG_DWORD +Value: 0x00000000 (0) + +This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to "1" may be required. - - SRG-OS-000362-GPOS-00149 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-CC-000430 - Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option. - <VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000390 + Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. + <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001812 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93521 + SV-103607 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ +If the following registry value does not exist or is not configured as specified, this is a finding: -Value Name: AlwaysInstallElevated +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Type: REG_DWORD +Value Name: EnableUIADesktopToggle + +Value Type: REG_DWORD Value: 0x00000000 (0) - - SRG-OS-000363-GPOS-00150 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-00-000220 - Windows Server 2019 system files must be monitored for unauthorized changes. - <VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000400 + Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. + <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001744 - Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools. - - - - Determine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. + V-93523 + SV-103609 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". -If system files are not monitored for unauthorized changes, this is a finding. +The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable. + + + + UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience). + +If the following registry value does not exist or is not configured as specified, this is a finding: -A properly configured HBSS Policy Auditor 5.2 or later File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. The Asset module within HBSS does not meet this requirement. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: ConsentPromptBehaviorAdmin + +Value Type: REG_DWORD +Value: 0x00000002 (2) (Prompt for consent on the secure desktop) +0x00000001 (1) (Prompt for credentials on the secure desktop) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-00-000030 - Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. - <VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. - -Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy require administrative accounts to not access the Internet or use applications such as email. - -The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. - -Whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000420 + Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation. + <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. + V-93525 + SV-103611 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. - - - - Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. +If the following registry value does not exist or is not configured as specified, this is a finding: -If it does not, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. +Value Name: EnableInstallerDetection + +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-00-000040 - Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. - <VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000430 + Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. + <VulnDiscussion>UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions. - - - - If no accounts are members of the Backup Operators group, this is NA. + SV-103613 + V-93527 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. +If the following registry value does not exist or is not configured as specified, this is a finding: -If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ + +Value Name: EnableSecureUIAPaths + +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000134-GPOS-00068 <GroupDescription></GroupDescription> - - WN19-00-000060 - Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. - <VulnDiscussion>Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000450 + Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations. + <VulnDiscussion>UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. - -It is recommended that system-managed service accounts be used whenever possible. - - - - Determine if manually managed application/service accounts exist. If none exist, this is NA. - -If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. - -Identify manually managed application/service accounts. - -To determine the date a password was last changed: - -Domain controllers: - -Open "PowerShell". - -Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. - -If the "PasswordLastSet" date is more than one year old, this is a finding. - + SV-103615 + V-93529 + CCI-001084 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -Member servers and standalone systems: +If the following registry value does not exist or is not configured as specified, this is a finding: -Open "Command Prompt". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. +Value Name: EnableVirtualization -If the "Password Last Set" date is more than one year old, this is a finding. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - WN19-00-000090 - Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. - <VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000230 + Windows Server 2019 non-system-created file shares must limit access to groups that require it. + <VulnDiscussion>Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) + SV-103617 + V-93531 + CCI-001090 + If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. -The TPM must be enabled in the firmware. +Remove any unnecessary non-system-created shares. + + + + If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) -Run "tpm.msc" for configuration options in Windows. - - - - For standalone systems, this is NA. +Run "Computer Management". -Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. +Navigate to System Tools >> Shared Folders >> Shares. -Verify the system has a TPM and it is ready for use. +Right-click any non-system-created shares. -Run "tpm.msc". +Select "Properties". -Review the sections in the center pane. +Select the "Share Permissions" tab. -"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". +If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. -TPM Manufacturer Information - Specific Version = 2.0 or 1.2 +Select the "Security" tab. -If a TPM is not found or is not ready for use, this is a finding. +If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - WN19-00-000100 - Windows Server 2019 must be maintained at a supported servicing level. - <VulnDiscussion>Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a servicing level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000350 + Windows Server 2019 Remote Desktop Services must prevent drive redirection. + <VulnDiscussion>Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Update the system to a Version 1809 (Build 17763.xxx) or greater. - - - - Open "Command Prompt". + V-93533 + SV-103619 + CCI-001090 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Enter "winver.exe". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -If the "About Windows" dialog box does not display "Microsoft Windows Server Version 1809 (Build 17763.xxx)" or greater, this is a finding. +Value Name: fDisableCdm -Preview versions must not be used in a production environment. +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - WN19-00-000110 - Windows Server 2019 must use an anti-virus program. - <VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000230 + Windows Server 2019 must not allow anonymous enumeration of shares. + <VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Install an anti-virus solution on the system. - - - - Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. + V-93537 + SV-103623 + CCI-001090 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ + +Value Name: RestrictAnonymous -If there is no anti-virus solution installed on the system, this is a finding. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000138-GPOS-00069 <GroupDescription></GroupDescription> - - WN19-00-000120 - Windows Server 2019 must have a host-based intrusion detection or prevention system. - <VulnDiscussion>A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000250 + Windows Server 2019 must restrict anonymous access to Named Pipes and Shares. + <VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Install a HIDS or HIPS on each server. - - - - Determine whether there is a HIDS or HIPS on each server. + V-93539 + SV-103625 + CCI-001090 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ -A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. +Value Name: RestrictNullSessAccess -If a HIDS is not installed on the system, this is a finding. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000185-GPOS-00079 <GroupDescription></GroupDescription> - - WN19-00-000240 - Windows Server 2019 must have software certificate installation files removed. - <VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000250 + Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + <VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Remove any certificate installation files (*.p12 and *.pfx) found on a system. - -Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. - - - - Search all drives for *.p12 and *.pfx files. - -If any files with these extensions exist, this is a finding. + V-93515 + SV-103601 + CCI-001199 + CCI-002475 + CCI-002476 + Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. + + + + Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. -This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO. +If they do not, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000191-GPOS-00080 <GroupDescription></GroupDescription> - - WN19-00-000420 - Windows Server 2019 FTP servers must be configured to prevent anonymous logons. - <VulnDiscussion>The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. - -Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000290 + Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). + <VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the FTP service to prevent anonymous logons. - -Open "Internet Information Services (IIS) Manager". - -Select the server. - -Double-click "FTP Authentication". - -Select "Anonymous Authentication". - -Select "Disabled" under "Actions". - - - - If FTP is not installed on the system, this is NA. - -Open "Internet Information Services (IIS) Manager". - -Select the server. - -Double-click "FTP Authentication". + V-93567 + SV-103653 + CCI-001233 + Install a DoD approved HBSS software and ensure it is operating continuously. + + + + Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. -If the "Anonymous Authentication" status is "Enabled", this is a finding. +If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000240-GPOS-00090 <GroupDescription></GroupDescription> - - WN19-00-000430 - Windows Server 2019 FTP servers must be configured to prevent access to the system drive. - <VulnDiscussion>The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the root directory of the boot drive.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000150 + Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Account Lockout events can be used to identify potentially malicious logon attempts. + +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system. - - - - If FTP is not installed on the system, this is NA. + SV-103075 + V-92987 + CCI-000172 + CCI-001404 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Open "Internet Information Services (IIS) Manager". +Use the "AuditPol" tool to review the current Audit Policy configuration: -Select "Sites" under the server name. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -For any sites with a Binding that lists FTP, right-click the site and select "Explore". +Enter "AuditPol /get /category:*" -If the site is not defined to a specific folder for shared FTP resources, this is a finding. +Compare the "AuditPol" settings with the following: -If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding. +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000240-GPOS-00090 <GroupDescription></GroupDescription> - - WN19-00-000460 - Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. - <VulnDiscussion>UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in "Legacy BIOS" mode will not support these security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000160 + Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Account Lockout events can be used to identify potentially malicious logon attempts. + +Satisfies: SRG-OS-000240-GPOS-00090, SRG-OS-000470-GPOS-00214</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure UEFI firmware to run in "UEFI" mode, not "Legacy BIOS" mode. - - - - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must run in "UEFI" mode. + SV-103077 + V-92989 + CCI-000172 + CCI-001404 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Account Lockout" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Verify the system firmware is configured to run in "UEFI" mode, not "Legacy BIOS". +Use the "AuditPol" tool to review the current Audit Policy configuration: -Run "System Information". +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a finding. +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Logon/Logoff >> Account Lockout - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000257-GPOS-00098 <GroupDescription></GroupDescription> - - WN19-00-000470 - Windows Server 2019 must have Secure Boot enabled. - <VulnDiscussion>Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000060 + Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. + +Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification or deletion of audit tools. + +Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Enable Secure Boot in the system firmware. - - - - Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. + SV-103283 + V-93195 + CCI-001494 + CCI-001495 + Configure the permissions on the "Eventvwr.exe" file to prevent modification by any groups or accounts other than TrustedInstaller. The default permissions listed below satisfy this requirement: -Run "System Information". +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute -Under "System Summary", if "Secure Boot State" does not display "On", this is a finding. +The default location is the "%SystemRoot%\System32" folder. + + + + Navigate to "%SystemRoot%\System32". -On server core installations, run the following PowerShell command: +View the permissions on "Eventvwr.exe". -Confirm-SecureBootUEFI +If any groups or accounts other than TrustedInstaller have "Full control" or "Modify" permissions, this is a finding. -If a value of "True" is not returned, this is a finding. +The default permissions below satisfy this requirement: + +TrustedInstaller - Full Control +Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES, ALL RESTRICTED APPLICATION PACKAGES - Read & Execute - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - - WN19-CC-000030 - Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. - <VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000140 + Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. + <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. + V-93019 + SV-103107 + CCI-002165 + Maintain the default permissions for the system drive's root directory and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Default Permissions +C:\ +Type - "Allow" for all +Inherited from - "None" for all -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ +Principal - Access - Applies to -Value Name: DisableIPSourceRouting +SYSTEM - Full control - This folder, subfolders, and files +Administrators - Full control - This folder, subfolders, and files +Users - Read & execute - This folder, subfolders, and files +Users - Create folders/append data - This folder and subfolders +Users - Create files/write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only + + + + The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). -Type: REG_DWORD -Value: 0x00000002 (2) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN19-CC-000040 - Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. - <VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. +Review the permissions for the system drive's root directory (usually C:\). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions except where noted as defaults. Individual accounts must not be used to assign permissions. -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +If permissions are not as restrictive as the default permissions listed below, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ +Viewing in File Explorer: -Value Name: DisableIPSourceRouting +View the Properties of the system drive's root directory. -Value Type: REG_DWORD -Value: 0x00000002 (2) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN19-CC-000050 - Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. - <VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". +Select the "Security" tab, and the "Advanced" button. -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Default permissions: +C:\ +Type - "Allow" for all +Inherited from - "None" for all -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ +Principal - Access - Applies to -Value Name: EnableICMPRedirect +SYSTEM - Full control - This folder, subfolders, and files +Administrators - Full control - This folder, subfolders, and files +Users - Read & execute - This folder, subfolders, and files +Users - Create folders/append data - This folder and subfolders +Users - Create files/write data - Subfolders only +CREATOR OWNER - Full Control - Subfolders and files only -Value Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN19-CC-000070 - Windows Server 2019 insecure logons to an SMB server must be disabled. - <VulnDiscussion>Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Alternately, use icacls: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ +Open "Command Prompt (Admin)". -Value Name: AllowInsecureGuestAuth +Enter "icacls" followed by the directory: -Type: REG_DWORD -Value: 0x00000000 (0) +"icacls c:\" + +The following results should be displayed: + +c:\ +NT AUTHORITY\SYSTEM:(OI)(CI)(F) +BUILTIN\Administrators:(OI)(CI)(F) +BUILTIN\Users:(OI)(CI)(RX) +BUILTIN\Users:(CI)(AD) +BUILTIN\Users:(CI)(IO)(WD) +CREATOR OWNER:(OI)(CI)(IO)(F) +Successfully processed 1 files; Failed processing 0 files - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - - WN19-CC-000080 - Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. - <VulnDiscussion>Additional security requirements are applied to UNC paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000150 + Windows Server 2019 permissions for program file directories must conform to minimum requirements. + <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths" (click the "Show" button to display): + V-93021 + SV-103109 + CCI-002165 + Maintain the default permissions for the program file directories and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). -Value Name: \\*\SYSVOL -Value: RequireMutualAuthentication=1, RequireIntegrity=1 +Default permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all -Value Name: \\*\NETLOGON -Value: RequireMutualAuthentication=1, RequireIntegrity=1 - - - - This requirement is applicable to domain-joined systems. For standalone systems, this is NA. +Principal - Access - Applies to -If the following registry values do not exist or are not configured as specified, this is a finding: +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders, and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files + + + + The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ +Review the permissions for the program file directories (Program Files and Program Files [x86]). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. -Value Name: \\*\NETLOGON -Value Type: REG_SZ -Value: RequireMutualAuthentication=1, RequireIntegrity=1 +If permissions are not as restrictive as the default permissions listed below, this is a finding. -Value Name: \\*\SYSVOL -Value Type: REG_SZ -Value: RequireMutualAuthentication=1, RequireIntegrity=1 +Viewing in File Explorer: -Additional entries would not be a finding. +For each folder, view the Properties. + +Select the "Security" tab, and the "Advanced" button. + +Default permissions: +\Program Files and \Program Files (x86) +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files + +Alternately, use icacls: + +Open a Command prompt (admin). + +Enter "icacls" followed by the directory: + +'icacls "c:\program files"' +'icacls "c:\program files (x86)"' + +The following results should be displayed for each when entered: + +c:\program files (c:\program files (x86)) +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000312-GPOS-00122 <GroupDescription></GroupDescription> - - WN19-CC-000100 - Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials. - <VulnDiscussion>An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Restricted Admin mode or Remote Credential Guard allow delegation of non-exportable credentials providing additional protection of the credentials. Enabling this configures the host to support Restricted Admin mode or Remote Credential Guard.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000160 + Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. + <VulnDiscussion>Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. + +The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + +Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Remote host allows delegation of non-exportable credentials" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93023 + SV-103111 + CCI-002165 + Maintain the default file ACLs and configure the Security Option "Network access: Let Everyone permissions apply to anonymous users" to "Disabled" (WN19-SO-000240). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\ +Default permissions: +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders, and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files + + + + The default permissions are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (WN19-SO-000240). + +Review the permissions for the Windows installation directory (usually C:\Windows). Non-privileged groups such as Users or Authenticated Users must not have greater than "Read & execute" permissions. Individual accounts must not be used to assign permissions. + +If permissions are not as restrictive as the default permissions listed below, this is a finding: + +Viewing in File Explorer: + +For each folder, view the Properties. + +Select the "Security" tab and the "Advanced" button. + +Default permissions: +\Windows +Type - "Allow" for all +Inherited from - "None" for all + +Principal - Access - Applies to + +TrustedInstaller - Full control - This folder and subfolders +SYSTEM - Modify - This folder only +SYSTEM - Full control - Subfolders and files only +Administrators - Modify - This folder only +Administrators - Full control - Subfolders and files only +Users - Read & execute - This folder, subfolders, and files +CREATOR OWNER - Full control - Subfolders and files only +ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files +ALL RESTRICTED APPLICATION PACKAGES - Read & execute - This folder, subfolders, and files + +Alternately, use icacls: + +Open a Command prompt (admin). + +Enter "icacls" followed by the directory: + +"icacls c:\windows" + +The following results should be displayed for each when entered: + +c:\windows +NT SERVICE\TrustedInstaller:(F) +NT SERVICE\TrustedInstaller:(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(M) +NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) +BUILTIN\Administrators:(M) +BUILTIN\Administrators:(OI)(CI)(IO)(F) +BUILTIN\Users:(RX) +BUILTIN\Users:(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX) +APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) +Successfully processed 1 files; Failed processing 0 files + + + + + SRG-OS-000324-GPOS-00125 + <GroupDescription></GroupDescription> + + WN19-00-000170 + Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. + <VulnDiscussion>The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93025 + SV-103113 + CCI-002235 + Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive. + +The default permissions of the higher-level keys are noted below. + +HKEY_LOCAL_MACHINE\SECURITY + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +SYSTEM - Full Control - This key and subkeys +Administrators - Special - This key and subkeys + +HKEY_LOCAL_MACHINE\SOFTWARE + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - This key and subkeys +ALL APPLICATION PACKAGES - Read - This key and subkeys + +HKEY_LOCAL_MACHINE\SYSTEM + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - Subkeys only +ALL APPLICATION PACKAGES - Read - This key and subkeys + +Microsoft has also given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID. +S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 + + + + Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below. + +If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding. + +If permissions are not as restrictive as the default permissions listed below, this is a finding: + +Run "Regedit". + +Right-click on the registry areas noted below. + +Select "Permissions" and the "Advanced" button. + +HKEY_LOCAL_MACHINE\SECURITY + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +SYSTEM - Full Control - This key and subkeys +Administrators - Special - This key and subkeys + +HKEY_LOCAL_MACHINE\SOFTWARE + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - This key and subkeys +ALL APPLICATION PACKAGES - Read - This key and subkeys + +HKEY_LOCAL_MACHINE\SYSTEM + +Type - "Allow" for all +Inherited from - "None" for all +Principal - Access - Applies to +Users - Read - This key and subkeys +Administrators - Full Control - This key and subkeys +SYSTEM - Full Control - This key and subkeys +CREATOR OWNER - Full Control - Subkeys only +ALL APPLICATION PACKAGES - Read - This key and subkeys + +Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission. + +Microsoft has given Read permission to the SOFTWARE and SYSTEM registry keys in Windows Server 2019 to the following SID, this is currently not a finding. +S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 + +If the defaults have not been changed, these are not a finding. + + + + + SRG-OS-000324-GPOS-00125 + <GroupDescription></GroupDescription> + + WN19-MS-000010 + Windows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system. + <VulnDiscussion>An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify required security restrictions on that machine and make it vulnerable to attack. + +System administrators must log on to systems using only accounts with the minimum level of authority necessary. + +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group (see V-36433 in the Active Directory Domain STIG). Restricting highly privileged accounts from the local Administrators group helps mitigate the risk of privilege escalation resulting from credential theft attacks. + +Standard user accounts must not be members of the built-in Administrators group.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103131 + V-93043 + CCI-002235 + Configure the local "Administrators" group to include only administrator groups or accounts responsible for administration of the system. + +For domain-joined member servers, replace the Domain Admins group with a domain member server administrator group. + +Remove any standard user accounts. + + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. + +Open "Computer Management". + +Navigate to "Groups" under "Local Users and Groups". + +Review the local "Administrators" group. + +Only administrator groups or accounts responsible for administration of the system may be members of the group. + +For domain-joined member servers, the Domain Admins group must be replaced by a domain member server administrator group. + +Standard user accounts must not be members of the local Administrator group. -Value Name: AllowProtectedCreds +If accounts that do not have responsibility for administration of the system are members of the local Administrators group, this is a finding. -Type: REG_DWORD -Value: 0x00000001 (1) +If the built-in Administrator account or other required administrative accounts are found on the system, this is not a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - - WN19-CC-000110 - Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. - <VulnDiscussion>Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-MS-000060 + Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems. + <VulnDiscussion>The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. + V-93045 + SV-103133 + CCI-002235 + Navigate to the policy Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict clients allowed to make remote calls to SAM". +Select "Edit Security" to configure the "Security descriptor:". -A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: +Add "Administrators" in "Group or user names:" if it is not already listed (this is the default). -https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard - - - - For standalone systems, this is NA. +Select "Administrators" in "Group or user names:". -Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. +Select "Allow" for "Remote Access" in "Permissions for "Administrators". -Open "PowerShell" with elevated privileges (run as administrator). +Click "OK". -Enter the following: +The "Security descriptor:" must be populated with "O:BAG:BAD:(A;;RC;;;BA) for the policy to be enforced. + + + + This applies to member servers and standalone systems; it is NA for domain controllers. -"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" +If the following registry value does not exist or is not configured as specified, this is a finding: -If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). +Value Name: RestrictRemoteSAM -If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. +Value Type: REG_SZ +Value: O:BAG:BAD:(A;;RC;;;BA) + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN19-AU-000090 + Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Alternately: +Other Account Management Events records events such as the access of a password hash or the Password Policy Checking API being called. -Run "System Information". +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93089 + SV-103177 + CCI-002234 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Management >> "Audit Other Account Management Events" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Under "System Summary", verify the following: +Use the "AuditPol" tool to review the current Audit Policy configuration: -If "Device Guard Virtualization based security" does not display "Running", this is a finding. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is a finding. +Enter "AuditPol /get /category:*" -If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). +Compare the "AuditPol" settings with the following: -The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. +If the system does not audit the following, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ +Account Management >> Other Account Management Events - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN19-AU-000140 + Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Value Name: EnableVirtualizationBasedSecurity -Value Type: REG_DWORD -Value: 0x00000001 (1) +Process Creation records events related to the creation of a process and the source. -Value Name: RequirePlatformSecurityFeatures -Value Type: REG_DWORD -Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103179 + V-93091 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit Process Creation" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: +Use the "AuditPol" tool to review the current Audit Policy configuration: -https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). + +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Detailed Tracking >> Process Creation - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000130 - Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. - <VulnDiscussion>Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000260 + Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). - -If this needs to be corrected or a more secure setting is desired, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Not Configured" or "Enabled" with any option other than "All" selected. - - - - The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). + V-93093 + SV-103181 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -If the registry value name below does not exist, this is not a finding. +Use the "AuditPol" tool to review the current Audit Policy configuration: -If it exists and is configured with a value of "0x00000007 (7)", this is a finding. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ +Enter "AuditPol /get /category:*" -Value Name: DriverLoadPolicy +Compare the "AuditPol" settings with the following: -Value Type: REG_DWORD -Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist) +If the system does not audit the following, this is a finding. -Possible values for this setting are: -8 - Good only -1 - Good and unknown -3 - Good, unknown and bad but critical -7 - All (which includes "bad" and would be a finding) +Policy Change >> Audit Policy Change - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000140 - Windows Server 2019 group policy objects must be reprocessed even if they have not changed. - <VulnDiscussion>Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000270 + Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Policy Change records events related to changes in audit policy. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" with the option "Process even if the Group Policy objects have not changed" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93095 + SV-103183 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Audit Policy Change" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: NoGPOListChanges +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Type: REG_DWORD -Value: 0x00000000 (0) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Policy Change >> Audit Policy Change - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000180 - Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery). - <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000280 + Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Authentication Policy Change records events related to changes in authentication policy, including Kerberos policy and Trust changes. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93097 + SV-103185 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authentication Policy Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: DCSettingIndex +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Type: REG_DWORD -Value: 0x00000001 (1) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Policy Change >> Authentication Policy Change - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000190 - Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in). - <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000290 + Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Authorization Policy Change records events related to changes in user rights, such as "Create a token object". + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93099 + SV-103187 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Policy Change >> "Audit Authorization Policy Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: ACSettingIndex +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Type: REG_DWORD -Value: 0x00000001 (1) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Policy Change >> Authorization Policy Change - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000250 - Windows Server 2019 Telemetry must be configured to Security or Basic. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000300 + Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds>> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93101 + SV-103189 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: AllowTelemetry +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Type: REG_DWORD -Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +Privilege Use >> Sensitive Privilege Use - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000260 - Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet. - <VulnDiscussion>Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000310 + Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Sensitive Privilege Use records events related to use of sensitive privileges, such as "Act as part of the operating system" or "Debug programs". + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> "Download Mode" to "Enabled" with any option except "Internet" selected. + V-93103 + SV-103191 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Privilege Use >> "Audit Sensitive Privilege Use" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Acceptable selections include: +Use the "AuditPol" tool to review the current Audit Policy configuration: -Bypass (100) -Group (2) -HTTP only (0) -LAN (1) -Simple (99) - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ +Enter "AuditPol /get /category:*" -Value Name: DODownloadMode +Compare the "AuditPol" settings with the following: -Value Type: REG_DWORD -Value: 0x00000000 (0) - No peering (HTTP Only) -0x00000001 (1) - Peers on same NAT only (LAN) -0x00000002 (2) - Local Network / Private group peering (Group) -0x00000063 (99) - Simple download mode, no peering (Simple) -0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass) +If the system does not audit the following, this is a finding. -A value of 0x00000003 (3), Internet, is a finding. +Privilege Use >> Sensitive Privilege Use - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000320 - Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled. - <VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000320 + Windows Server 2019 must be configured to audit System - IPsec Driver successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +IPsec Driver records events related to the IPsec Driver, such as dropped packets. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - The default behavior is for File Explorer heap termination on corruption to be disabled. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled". - - - - The default behavior is for File Explorer heap termination on corruption to be enabled. + V-93105 + SV-103193 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -If the registry Value Name below does not exist, this is not a finding. +Use the "AuditPol" tool to review the current Audit Policy configuration: -If it exists and is configured with a value of "0", this is not a finding. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -If it exists and is configured with a value of "1", this is a finding. +Enter "AuditPol /get /category:*" -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ +Compare the "AuditPol" settings with the following: -Value Name: NoHeapTerminationOnCorruption +If the system does not audit the following, this is a finding. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +System >> IPsec Driver - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000330 - Windows Server 2019 File Explorer shell protocol must run in protected mode. - <VulnDiscussion>The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000330 + Windows Server 2019 must be configured to audit System - IPsec Driver failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +IPsec Driver records events related to the IPsec Driver, such as dropped packets. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - The default behavior is for shell protected mode to be turned on for File Explorer. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled". - - - - The default behavior is for shell protected mode to be turned on for File Explorer. + SV-103195 + V-93107 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit IPsec Driver" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -If the registry value name below does not exist, this is not a finding. +Use the "AuditPol" tool to review the current Audit Policy configuration: -If it exists and is configured with a value of "0", this is not a finding. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -If it exists and is configured with a value of "1", this is a finding. +Enter "AuditPol /get /category:*" -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ +Compare the "AuditPol" settings with the following: -Value Name: PreXPSP2ShellProtocolBehavior +If the system does not audit the following, this is a finding. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +System >> IPsec Driver - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000390 - Windows Server 2019 must prevent attachments from being downloaded from RSS feeds. - <VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000340 + Windows Server 2019 must be configured to audit System - Other System Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93109 + SV-103197 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: DisableEnclosureDownload +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Type: REG_DWORD -Value: 0x00000001 (1) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +System >> Other System Events - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000440 - Windows Server 2019 users must be notified if a web-based program attempts to install software. - <VulnDiscussion>Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000350 + Windows Server 2019 must be configured to audit System - Other System Events failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Other System Events records information related to cryptographic key operations and the Windows Firewall service. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled". - - - - The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. + SV-103199 + V-93111 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Other System Events" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -If the registry value name below does not exist, this is not a finding. +Use the "AuditPol" tool to review the current Audit Policy configuration: -If it exists and is configured with a value of "0", this is not a finding. +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -If it exists and is configured with a value of "1", this is a finding. +Enter "AuditPol /get /category:*" -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ +Compare the "AuditPol" settings with the following: -Value Name: SafeForScripting +If the system does not audit the following, this is a finding. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +System >> Other System Events - Failure - - SRG-OS-000480-GPOS-00229 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-CC-000450 - Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart. - <VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000360 + Windows Server 2019 must be configured to audit System - Security State Change successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security State Change records events related to changes in the security state, such as startup and shutdown of the system. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled". - - - - Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + SV-103201 + V-93113 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security State Change" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Use the "AuditPol" tool to review the current Audit Policy configuration: -Value Name: DisableAutomaticRestartSignOn +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Value Type: REG_DWORD -Value: 0x00000001 (1) +Enter "AuditPol /get /category:*" + +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +System >> Security State Change - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-MS-000050 - Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers. - <VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000370 + Windows Server 2019 must be configured to audit System - Security System Extension successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Security System Extension records events related to extension code being loaded by the security subsystem. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less. - - - - This applies to member servers. For domain controllers and standalone systems, this is NA. + SV-103203 + V-93115 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit Security System Extension" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -If the following registry value does not exist or is not configured as specified, this is a finding: +Use the "AuditPol" tool to review the current Audit Policy configuration: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Value Name: CachedLogonsCount +Enter "AuditPol /get /category:*" -Value Type: REG_SZ -Value: 4 (or less) +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. + +System >> Security System Extension - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000327-GPOS-00127 <GroupDescription></GroupDescription> - - WN19-MS-000140 - Windows Server 2019 must be running Credential Guard on domain-joined member servers. - <VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000380 + Windows Server 2019 must be configured to audit System - System Integrity successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +System Integrity records events related to violations of integrity to the security subsystem. + +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". - -A Microsoft article on Credential Guard system requirement can be found at the following link: - -https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements - - - - For domain controllers and standalone systems, this is NA. - -Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. + SV-103205 + V-93117 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Open "PowerShell" with elevated privileges (run as administrator). +Use the "AuditPol" tool to review the current Audit Policy configuration: -Enter the following: +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" +Enter "AuditPol /get /category:*" -If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. +Compare the "AuditPol" settings with the following: -Alternately: +If the system does not audit the following, this is a finding. -Run "System Information". +System >> System Integrity - Success + + + + + SRG-OS-000327-GPOS-00127 + <GroupDescription></GroupDescription> + + WN19-AU-000390 + Windows Server 2019 must be configured to audit System - System Integrity failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Under "System Summary", verify the following: +System Integrity records events related to violations of integrity to the security subsystem. -If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103207 + V-93119 + CCI-000172 + CCI-002234 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> System >> "Audit System Integrity" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. +Use the "AuditPol" tool to review the current Audit Policy configuration: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Value Name: LsaCfgFlags -Value Type: REG_DWORD -Value: 0x00000001 (1) (Enabled with UEFI lock) +Enter "AuditPol /get /category:*" -A Microsoft article on Credential Guard system requirement can be found at the following link: +Compare the "AuditPol" settings with the following: -https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements +If the system does not audit the following, this is a finding. + +System >> System Integrity - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000341-GPOS-00132 <GroupDescription></GroupDescription> - - WN19-SO-000020 - Windows Server 2019 must prevent local accounts with blank passwords from being used from the network. - <VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000270 + Windows Server 2019 Application event log size must be configured to 32768 KB or greater. + <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93177 + SV-103265 + CCI-001849 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Application >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. + + + + If the system is configured to write events directly to an audit server, this is NA. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ +If the following registry value does not exist or is not configured as specified, this is a finding: -Value Name: LimitBlankPasswordUse +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\ -Value Type: REG_DWORD -Value: 0x00000001 (1) +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000341-GPOS-00132 <GroupDescription></GroupDescription> - - WN19-SO-000100 - Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less. - <VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000280 + Windows Server 2019 Security event log size must be configured to 196608 KB or greater. + <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - This is the default configuration for this setting (30 days). - -Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding "0", which is unacceptable). - - - - This is the default configuration for this setting (30 days). + SV-103267 + V-93179 + CCI-001849 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> Security >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "196608" or greater. + + + + If the system is configured to write events directly to an audit server, this is NA. If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\ -Value Name: MaximumPasswordAge +Value Name: MaxSize -Value Type: REG_DWORD -Value: 0x0000001e (30) (or less, but not 0) +Type: REG_DWORD +Value: 0x00030000 (196608) (or greater) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000341-GPOS-00132 <GroupDescription></GroupDescription> - - WN19-SO-000150 - Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation. - <VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000290 + Windows Server 2019 System event log size must be configured to 32768 KB or greater. + <VulnDiscussion>Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention by administrative personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103269 + V-93181 + CCI-001849 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Event Log Service >> System >> "Specify the maximum log file size (KB)" to "Enabled" with a "Maximum Log Size (KB)" of "32768" or greater. + + + + If the system is configured to write events directly to an audit server, this is NA. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ - -Value Name: scremoveoption +If the following registry value does not exist or is not configured as specified, this is a finding: -Value Type: REG_SZ -Value: 1 (Lock Workstation) or 2 (Force Logoff) +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\EventLog\System\ -If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. +Value Name: MaxSize + +Type: REG_DWORD +Value: 0x00008000 (32768) (or greater) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000342-GPOS-00133 <GroupDescription></GroupDescription> - - WN19-SO-000210 - Windows Server 2019 must not allow anonymous SID/Name translation. - <VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000010 + Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. + <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled". - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. + V-93183 + SV-103271 + CCI-001851 + Establish and implement a process for backing up log data to another system or media other than the system being audited. + + + + Determine if a process to back up log data to a different system or media than the system being audited has been implemented. -If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. +If it has not, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000355-GPOS-00143 <GroupDescription></GroupDescription> - - WN19-SO-000220 - Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. - <VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000440 + The Windows Server 2019 time service must synchronize with an appropriate DoD time source. + <VulnDiscussion>The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93187 + SV-103275 + CCI-001891 + Configure the system to synchronize time with an appropriate DoD time source. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ +Domain-joined systems use NT5DS to synchronize time from other systems in the domain by default. -Value Name: RestrictAnonymousSAM +If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an appropriate DoD time server. -Value Type: REG_DWORD -Value: 0x00000001 (1) +The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy. + + + + Review the Windows time service configuration. + +Open an elevated "Command Prompt" (run as administrator). + +Enter "W32tm /query /configuration". + +Domain-joined systems (excluding the domain controller with the PDC emulator role): + +If the value for "Type" under "NTP Client" is not "NT5DS", this is a finding. + +Other systems: + +If systems are configured with a "Type" of "NTP", including standalone systems and the domain controller with the PDC Emulator role, and do not have a DoD time server defined for "NTPServer", this is a finding. + +To determine the domain controller with the PDC Emulator role: + +Open "PowerShell". + +Enter "Get-ADDomain | FT PDCEmulator". - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000362-GPOS-00149 <GroupDescription></GroupDescription> - - WN19-SO-000240 - Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group. - <VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000420 + Windows Server 2019 must prevent users from changing installation options. + <VulnDiscussion>Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that may bypass security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let Everyone permissions apply to anonymous users" to "Disabled". - - - + SV-103287 + V-93199 + CCI-001812 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Allow user control over installs" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ -Value Name: EveryoneIncludesAnonymous +Value Name: EnableUserControl -Value Type: REG_DWORD +Type: REG_DWORD Value: 0x00000000 (0) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000362-GPOS-00149 <GroupDescription></GroupDescription> - - WN19-SO-000260 - Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. - <VulnDiscussion>Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000430 + Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option. + <VulnDiscussion>Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain full control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled". - - - + SV-103289 + V-93201 + CCI-001812 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Always install with elevated privileges" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ -Value Name: UseMachineId +Value Name: AlwaysInstallElevated Type: REG_DWORD -Value: 0x00000001 (1) +Value: 0x00000000 (0) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000363-GPOS-00150 <GroupDescription></GroupDescription> - - WN19-SO-000270 - Windows Server 2019 must prevent NTLM from falling back to a Null session. - <VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000220 + Windows Server 2019 system files must be monitored for unauthorized changes. + <VulnDiscussion>Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93203 + SV-103291 + CCI-001744 + Monitor the system for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. This can be done with the use of various monitoring tools. + + + + Determine whether the system is monitored for unauthorized changes to system files (e.g., *.exe, *.bat, *.com, *.cmd, and *.dll) against a baseline on a weekly basis. + +If system files are not monitored for unauthorized changes, this is a finding. + +A properly configured and approved DoD HBSS solution that supports a File Integrity Monitor (FIM) module will meet the requirement for file integrity checking. + + + + + SRG-OS-000368-GPOS-00154 + <GroupDescription></GroupDescription> + + WN19-CC-000210 + Windows Server 2019 Autoplay must be turned off for non-volume devices. + <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled". - - - + SV-103459 + V-93373 + CCI-001764 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ -Value Name: allownullsessionfallback +Value Name: NoAutoplayfornonVolume Type: REG_DWORD -Value: 0x00000000 (0) +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - WN19-SO-000280 - Windows Server 2019 must prevent PKU2U authentication using online identities. - <VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000220 + Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands. + <VulnDiscussion>Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled". - - - + SV-103461 + V-93375 + CCI-001764 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected. + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ -Value Name: AllowOnlineID +Value Name: NoAutorun Type: REG_DWORD -Value: 0x00000000 (0) +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000368-GPOS-00154 <GroupDescription></GroupDescription> - - WN19-SO-000310 - Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. - <VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000230 + Windows Server 2019 AutoPlay must be disabled for all drives. + <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM". - - - + V-93377 + SV-103463 + CCI-001764 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected. + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -Value Name: LmCompatibilityLevel +Value Name: NoDriveTypeAutoRun -Value Type: REG_DWORD -Value: 0x00000005 (5) +Type: REG_DWORD +Value: 0x000000ff (255) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000370-GPOS-00155 <GroupDescription></GroupDescription> - - WN19-SO-000320 - Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing. - <VulnDiscussion>This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000080 + Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + <VulnDiscussion>Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. + +The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103465 + V-93379 + CCI-001774 + Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server. + +If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. + +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: + +https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm + + + + This is applicable to unclassified systems. For other systems, this is NA. + +Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + +If an application whitelisting program is not in use on the system, this is a finding. + +Configuration of whitelisting applications will vary by the program. + +AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. + +If AppLocker is used, perform the following to view the configuration of AppLocker: + +Open "PowerShell". + +If the AppLocker PowerShell module has not been imported previously, execute the following first: + +Import-Module AppLocker + +Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: + +Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ +This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. -Value Name: LDAPClientIntegrity +Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: -Value Type: REG_DWORD -Value: 0x00000001 (1) +https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN19-SO-000330 - Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. - <VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000340 + Windows Server 2019 must not save passwords in the Remote Desktop Client. + <VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). - - - + V-93425 + SV-103511 + CCI-002038 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -Value Name: NTLMMinClientSec +Value Name: DisablePasswordSaving -Value Type: REG_DWORD -Value: 0x20080000 (537395200) +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN19-SO-000340 - Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. - <VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000360 + Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection. + <VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). - - - + V-93427 + SV-103513 + CCI-002038 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ -Value Name: NTLMMinServerSec +Value Name: fPromptForPassword -Value Type: REG_DWORD -Value: 0x20080000 (537395200) +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN19-SO-000370 - Windows Server 2019 default permissions of global system objects must be strengthened. - <VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000520 + Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials. + <VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)" to "Enabled". - - - + V-93429 + SV-103515 + CCI-002038 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Value Name: ProtectionMode +Value Name: DisableRunAs -Value Type: REG_DWORD +Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN19-UC-000010 - Windows Server 2019 must preserve zone information when saving attachments. - <VulnDiscussion>Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000380 + Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled. + <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - The default behavior is for Windows to mark file attachments with their zone information. - -If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled". - - - - The default behavior is for Windows to mark file attachments with their zone information. - -If the registry Value Name below does not exist, this is not a finding. - -If it exists and is configured with a value of "2", this is not a finding. + V-93431 + SV-103517 + CCI-002038 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -If it exists and is configured with a value of "1", this is a finding. +If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_CURRENT_USER -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Value Name: SaveZoneInformation +Value Name: FilterAdministratorToken Value Type: REG_DWORD -Value: 0x00000002 (2) (or if the Value Name does not exist) +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN19-EP-000010 - Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on. - <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Data Execution Prevention (DEP)", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000366 - Ensure Exploit Protection system-level mitigation, "Data Execution Prevention (DEP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Data Execution Prevention (DEP)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <DEP Enable="true"></DEP> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -System". - -If the status of "DEP: Enable" is "OFF", this is a finding. - -Values that would not be a finding include: + + WN19-SO-000410 + Windows Server 2019 User Account Control must automatically deny standard user requests for elevation. + <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account. -ON -NOTSET (Default configuration) - - - - - SRG-OS-000480-GPOS-00227 - <GroupDescription></GroupDescription> - - WN19-EP-000030 - Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on. - <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Control flow guard (CFG)", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure Exploit Protection system-level mitigation, "Control flow guard (CFG)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Control flow guard (CFG)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <ControlFlowGuard Enable="true"></ControlFlowGuard> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). + V-93433 + SV-103519 + CCI-002038 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -Enter "Get-ProcessMitigation -System". +If the following registry value does not exist or is not configured as specified, this is a finding: -If the status of "CFG: Enable" is "OFF", this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Values that would not be a finding include: +Value Name: ConsentPromptBehaviorUser -ON -NOTSET (Default configuration) +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000373-GPOS-00157 <GroupDescription></GroupDescription> - - WN19-EP-000040 - Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on. - <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate exception chains (SEHOP)", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000440 + Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. + <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. + +Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure Exploit Protection system-level mitigation, "Validate exception chains (SEHOP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Validate exception chains (SEHOP)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <SEHOP Enable="true"></SEHOP> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). + SV-103521 + V-93435 + CCI-002038 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled". + + + + UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). -Enter "Get-ProcessMitigation -System". +If the following registry value does not exist or is not configured as specified, this is a finding: -If the status of "SEHOP: Enable" is "OFF", this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Values that would not be a finding include: +Value Name: EnableLUA -ON -NOTSET (Default configuration) +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000379-GPOS-00164 <GroupDescription></GroupDescription> - - WN19-EP-000050 - Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on. - <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate heap integrity", are enabled by default at the system level. "Validate heap integrity" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-MS-000040 + Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems. + <VulnDiscussion>Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure Exploit Protection system-level mitigation, "Validate heap integrity" is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Validate heap integrity" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <Heap TerminateOnError="true"></Heap> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). + V-93453 + SV-103539 + CCI-001967 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> "Restrict Unauthenticated RPC clients" to "Enabled" with "Authenticated" selected. + + + + This applies to member servers and standalone systems, it is NA for domain controllers. -Enter "Get-ProcessMitigation -System". +If the following registry value does not exist or is not configured as specified, this is a finding: -If the status of "Heap: TerminateOnError" is "OFF", this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ -Values that would not be a finding include: +Value Name: RestrictRemoteClients -ON -NOTSET (Default configuration) +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000379-GPOS-00164 <GroupDescription></GroupDescription> - - WN19-EP-000060 - Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000090 + Windows Server 2019 computer account password must not be prevented from being reset. + <VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for Acrobat.exe: - -DEP: -Enable: ON - -ASLR: -BottomUp: ON -ForceRelocateImages: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name Acrobat.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have a status of "ON", this is a finding: - -DEP: -Enable: ON + V-93455 + SV-103541 + CCI-001967 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -ASLR: -BottomUp: ON -ForceRelocateImages: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Value Name: DisablePasswordChange -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000393-GPOS-00173 <GroupDescription></GroupDescription> - - WN19-EP-000070 - Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000480 + Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic. + <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. + +Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for AcroRd32.exe: - -DEP: -Enable: ON - -ASLR: -BottomUp: ON -ForceRelocateImages: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. + V-93499 + SV-103585 + CCI-002890 + CCI-003123 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Run "Windows PowerShell" with elevated privileges (run as administrator). +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ -Enter "Get-ProcessMitigation -Name AcroRd32.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Value Name: AllowUnencryptedTraffic -If the following mitigations do not have a status of "ON", this is a finding: +Type: REG_DWORD +Value: 0x00000000 (0) + + + + + SRG-OS-000393-GPOS-00173 + <GroupDescription></GroupDescription> + + WN19-CC-000510 + Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic. + <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. -DEP: -Enable: ON +Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103587 + V-93501 + CCI-003123 + CCI-002890 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -ASLR: -BottomUp: ON -ForceRelocateImages: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Value Name: AllowUnencryptedTraffic -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000420-GPOS-00186 <GroupDescription></GroupDescription> - - WN19-EP-000080 - Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000060 + Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers. + <VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for chrome.exe: - -DEP: -Enable: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). + SV-103627 + V-93541 + CCI-002385 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". -Enter "Get-ProcessMitigation -Name chrome.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If the following mitigations do not have a status of "ON", this is a finding: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ -DEP: -Enable: ON +Value Name: NoNameReleaseOnDemand -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - - WN19-EP-000090 - Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000060 + Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. + <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for EXCEL.EXE: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON + SV-103633 + V-93547 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Value Name: RequireSignOrSeal -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Value Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + WN19-SO-000070 + Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. + <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted. -This is applicable to unclassified systems, for other systems this is NA. +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93549 + SV-103635 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Run "Windows PowerShell" with elevated privileges (run as administrator). +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Enter "Get-ProcessMitigation -Name EXCEL.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Value Name: SealSecureChannel -If the following mitigations do not have a status of "ON", this is a finding: +Value Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + WN19-SO-000080 + Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. + <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed. -DEP: -Enable: ON +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93551 + SV-103637 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -ASLR: -ForceRelocateImages: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Value Name: SignSecureChannel -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - - WN19-EP-000100 - Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000110 + Windows Server 2019 must be configured to require a strong session key. + <VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for firefox.exe: - -DEP: -Enable: ON - -ASLR: -BottomUp: ON -ForceRelocateImages: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. + V-93553 + SV-103639 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -This is applicable to unclassified systems, for other systems this is NA. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Run "Windows PowerShell" with elevated privileges (run as administrator). +Value Name: RequireStrongKey -Enter "Get-ProcessMitigation -Name firefox.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Value Type: REG_DWORD +Value: 0x00000001 (1) + +This setting may prevent a system from being joined to a domain if not configured consistently between systems. + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + WN19-SO-000160 + Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. + <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing. -If the following mitigations do not have a status of "ON", this is a finding: +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93555 + SV-103641 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -DEP: -Enable: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ -ASLR: -BottomUp: ON -ForceRelocateImages: ON +Value Name: RequireSecuritySignature -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000423-GPOS-00187 <GroupDescription></GroupDescription> - - WN19-EP-000110 - Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000170 + Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. + <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing. + +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for FLTLDR.EXE: + V-93557 + SV-103643 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -DEP: -Enable: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ -ImageLoad: -BlockRemoteImageLoads: ON +Value Name: EnableSecuritySignature -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Value Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + WN19-SO-000190 + Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. + <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing. -Child Process: -DisallowChildProcessCreation: ON +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93559 + SV-103645 + CCI-002421 + CCI-002418 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Value Name: RequireSecuritySignature -This is applicable to unclassified systems, for other systems this is NA. +Value Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + WN19-SO-000200 + Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. + <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93561 + SV-103647 + CCI-002418 + CCI-002421 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Enter "Get-ProcessMitigation -Name FLTLDR.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ -If the following mitigations do not have a status of "ON", this is a finding: +Value Name: EnableSecuritySignature -DEP: -Enable: ON +Value Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000425-GPOS-00189 + <GroupDescription></GroupDescription> + + WN19-00-000260 + Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. + <VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. -ImageLoad: -BlockRemoteImageLoads: ON +Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec. -Child Process: -DisallowChildProcessCreation: ON +Satisfies: SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103629 + V-93543 + CCI-002420 + CCI-002422 + Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. + + + + If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If protection methods have not been implemented, this is a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000433-GPOS-00192 <GroupDescription></GroupDescription> - - WN19-EP-000120 - Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000310 + Windows Server 2019 Explorer Data Execution Prevention must be enabled. + <VulnDiscussion>Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for GROOVE.EXE: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON - -ImageLoad: -BlockRemoteImageLoads: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON + V-93563 + SV-103649 + CCI-002824 + The default behavior is for data execution prevention to be turned on for File Explorer. -Child Process: -DisallowChildProcessCreation: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name GROOVE.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have a status of "ON", this is a finding: +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled". + + + + The default behavior is for Data Execution Prevention to be turned on for File Explorer. -DEP: -Enable: ON +If the registry value name below does not exist, this is not a finding. -ASLR: -ForceRelocateImages: ON +If it exists and is configured with a value of "0", this is not a finding. -ImageLoad: -BlockRemoteImageLoads: ON +If it exists and is configured with a value of "1", this is a finding. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ -Child Process: -DisallowChildProcessCreation: ON +Value Name: NoDataExecutionPrevention -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000433-GPOS-00193 <GroupDescription></GroupDescription> - - WN19-EP-000130 - Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000020 + Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on. + <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Randomize memory allocations (Bottom-Up ASLR)", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for iexplore.exe: - -DEP: -Enable: ON - -ASLR: -BottomUp: ON -ForceRelocateImages: ON + V-93565 + SV-103651 + CCI-002824 + Ensure Exploit Protection system-level mitigation, "Randomize memory allocations (Bottom-Up ASLR)" is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Open "Windows Defender Security Center". -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Select "App & browser control". -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Select "Exploit protection settings". -This is applicable to unclassified systems, for other systems this is NA. +Under "System settings", configure "Randomize memory allocations (Bottom-Up ASLR)" to "On by default" or "Use default (<On>)". -Run "Windows PowerShell" with elevated privileges (run as administrator). +The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under <SystemConfig>): -Enter "Get-ProcessMitigation -Name iexplore.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +<SystemConfig> + <ASLR BottomUp="true" HighEntropy="true"></ASLR> +</SystemConfig> -If the following mitigations do not have a status of "ON", this is a finding: +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + This is applicable to unclassified systems, for other systems this is NA. -DEP: -Enable: ON +The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". -ASLR: -BottomUp: ON -ForceRelocateImages: ON +Run "Windows PowerShell" with elevated privileges (run as administrator). -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter "Get-ProcessMitigation -System". -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If the status of "ASLR: BottomUp" is "OFF", this is a finding. + +Values that would not be a finding include: + +ON +NOTSET (Default configuration) - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN19-EP-000140 - Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000070 + Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for INFOPATH.EXE: + V-93153 + SV-103241 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -DEP: -Enable: ON +Use the "AuditPol" tool to review the current Audit Policy configuration: -ASLR: -ForceRelocateImages: ON +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter "AuditPol /get /category:*" -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Compare the "AuditPol" settings with the following: -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +If the system does not audit the following, this is a finding. -This is applicable to unclassified systems, for other systems this is NA. +Account Logon >> Credential Validation - Success + + + + + SRG-OS-000470-GPOS-00214 + <GroupDescription></GroupDescription> + + WN19-AU-000080 + Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Credential Validation records events related to validation tests on credentials for a user account logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93155 + SV-103243 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Account Logon >> "Audit Credential Validation" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Enter "Get-ProcessMitigation -Name INFOPATH.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Use the "AuditPol" tool to review the current Audit Policy configuration: -If the following mitigations do not have a status of "ON", this is a finding: +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -DEP: -Enable: ON +Enter "AuditPol /get /category:*" -ASLR: -ForceRelocateImages: ON +Compare the "AuditPol" settings with the following: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the system does not audit the following, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Account Logon >> Credential Validation - Failure - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN19-EP-000150 - Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000170 + Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Audit Group Membership records information related to the group membership of a user's logon token.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for java.exe, javaw.exe, and javaws.exe: - -DEP: -Enable: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. + SV-103247 + V-93159 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Group Membership" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Use the "AuditPol" tool to review the current Audit Policy configuration: -Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]: -java.exe, javaw.exe, and javaws.exe -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -If the following mitigations do not have a status of "ON" for each, this is a finding: +Enter "AuditPol /get /category:*" -DEP: -Enable: ON +Compare the "AuditPol" settings with the following: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the system does not audit the following, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Logon/Logoff >> Group Membership - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN19-EP-000160 - Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000210 + Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Special Logon records special logons that have administrative privileges and can be used to elevate processes. + +Satisfies: SRG-OS-000470-GPOS-00214, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for lync.exe: + V-93161 + SV-103249 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Special Logon" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -DEP: -Enable: ON +Use the "AuditPol" tool to review the current Audit Policy configuration: -ASLR: -ForceRelocateImages: ON +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter "AuditPol /get /category:*" -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Compare the "AuditPol" settings with the following: -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +If the system does not audit the following, this is a finding. -This is applicable to unclassified systems, for other systems this is NA. +Logon/Logoff >> Special Logon - Success + + + + + SRG-OS-000470-GPOS-00214 + <GroupDescription></GroupDescription> + + WN19-AU-000220 + Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93163 + SV-103251 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Enter "Get-ProcessMitigation -Name lync.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Use the "AuditPol" tool to review the current Audit Policy configuration: -If the following mitigations do not have a status of "ON", this is a finding: +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -DEP: -Enable: ON +Enter "AuditPol /get /category:*" -ASLR: -ForceRelocateImages: ON +Compare the "AuditPol" settings with the following: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the system does not audit the following, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Object Access >> Other Object Access Events - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000470-GPOS-00214 <GroupDescription></GroupDescription> - - WN19-EP-000170 - Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000230 + Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Auditing for other object access records events related to the management of task scheduler jobs and COM+ objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for MSACCESS.EXE: + V-93165 + SV-103253 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Other Object Access Events" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -DEP: -Enable: ON +Use the "AuditPol" tool to review the current Audit Policy configuration: -ASLR: -ForceRelocateImages: ON +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter "AuditPol /get /category:*" -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Compare the "AuditPol" settings with the following: + +If the system does not audit the following, this is a finding. -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Object Access >> Other Object Access Events - Failure + + + + + SRG-OS-000472-GPOS-00217 + <GroupDescription></GroupDescription> + + WN19-AU-000180 + Windows Server 2019 must be configured to audit logoff successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -This is applicable to unclassified systems, for other systems this is NA. +Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local system. If it is to a network share, it is recorded on the system accessed. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Satisfies: SRG-OS-000472-GPOS-00217, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103259 + V-93171 + CCI-000172 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Logon/Logoff >> "Audit Logoff" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Enter "Get-ProcessMitigation -Name MSACCESS.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Use the "AuditPol" tool to review the current Audit Policy configuration: -If the following mitigations do not have a status of "ON", this is a finding: +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -DEP: -Enable: ON +Enter "AuditPol /get /category:*" -ASLR: -ForceRelocateImages: ON +Compare the "AuditPol" settings with the following: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the system does not audit the following, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Logon/Logoff >> Logoff - Success - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000474-GPOS-00219 <GroupDescription></GroupDescription> - - WN19-EP-000180 - Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000130 + Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Plug and Play activity records events related to the successful connection of external devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for MSPUB.EXE: + V-93157 + SV-103245 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Detailed Tracking >> "Audit PNP Activity" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -DEP: -Enable: ON +Use the "AuditPol" tool to review the current Audit Policy configuration: -ASLR: -ForceRelocateImages: ON +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter "AuditPol /get /category:*" -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Compare the "AuditPol" settings with the following: -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +If the system does not audit the following, this is a finding. -This is applicable to unclassified systems, for other systems this is NA. +Detailed Tracking >> Plug and Play Events - Success + + + + + SRG-OS-000474-GPOS-00219 + <GroupDescription></GroupDescription> + + WN19-AU-000240 + Windows Server 2019 must be configured to audit Object Access - Removable Storage successes. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103255 + V-93167 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -Enter "Get-ProcessMitigation -Name MSPUB.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Use the "AuditPol" tool to review the current Audit Policy configuration: -If the following mitigations do not have a status of "ON", this is a finding: +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -DEP: -Enable: ON +Enter "AuditPol /get /category:*" -ASLR: -ForceRelocateImages: ON +Compare the "AuditPol" settings with the following: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the system does not audit the following, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Object Access >> Removable Storage - Success + +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. - - SRG-OS-000480-GPOS-00227 + + SRG-OS-000474-GPOS-00219 <GroupDescription></GroupDescription> - - WN19-EP-000190 - Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AU-000250 + Windows Server 2019 must be configured to audit Object Access - Removable Storage failures. + <VulnDiscussion>Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Collecting this data is essential for analyzing the security of information assets and detecting signs of suspicious and unexpected behavior. + +Removable Storage auditing under Object Access records events related to access attempts on file system objects on removable storage devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for OIS.EXE: + V-93169 + SV-103257 + CCI-000172 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Failure" selected. + + + + Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" must be set to "Enabled" (WN19-SO-000050) for the detailed auditing subcategories to be effective. -DEP: -Enable: ON +Use the "AuditPol" tool to review the current Audit Policy configuration: -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Open "PowerShell" or a "Command Prompt" with elevated privileges ("Run as administrator"). -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Enter "AuditPol /get /category:*" -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Compare the "AuditPol" settings with the following: -This is applicable to unclassified systems, for other systems this is NA. +If the system does not audit the following, this is a finding. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Object Access >> Removable Storage - Failure -Enter "Get-ProcessMitigation -Name OIS.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Virtual machines or systems that use network attached storage may generate excessive audit events for secondary virtual drives or the network attached storage when this setting is enabled. This may be set to Not Configured in such cases and would not be a finding. + + + + + SRG-OS-000478-GPOS-00223 + <GroupDescription></GroupDescription> + + WN19-SO-000360 + Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. + <VulnDiscussion>This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93511 + SV-103597 + CCI-002450 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If the following mitigations do not have a status of "ON", this is a finding: +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ -DEP: -Enable: ON +Value Name: Enabled -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Value Type: REG_DWORD +Value: 0x00000001 (1) + +Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. + + + + + SRG-OS-000479-GPOS-00224 + <GroupDescription></GroupDescription> + + WN19-AU-000020 + Windows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. + <VulnDiscussion>Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to accidental or incidental deletion or alteration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93185 + SV-103273 + CCI-001851 + Configure the system to, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. + + + + Verify the audit records, at a minimum, are off-loaded for interconnected systems in real time and off-loaded for standalone systems weekly. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If they are not, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000200 - Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000010 + Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. + <VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for OneDrive.exe: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON - -ImageLoad: -BlockRemoteImageLoads: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. + V-93369 + SV-103457 + CCI-000366 + Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties. + + + + Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. -This is applicable to unclassified systems, for other systems this is NA. +If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-00-000030 + Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. + <VulnDiscussion>Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while running as a privileged user, the entire system could be compromised. Web browsers and email are common attack vectors for introducing malicious code and must not be run with an administrative account. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Since administrative accounts may generally change or work around technical restrictions for running a web browser or other applications, it is essential that policy require administrative accounts to not access the Internet or use applications such as email. -Enter "Get-ProcessMitigation -Name OneDrive.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +The policy should define specific exceptions for local service administration. These exceptions may include HTTP(S)-based tools that are used for the administration of the local system, services, or attached devices. -If the following mitigations do not have a status of "ON", this is a finding: +Whitelisting can be used to enforce the policy to ensure compliance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93205 + SV-103293 + CCI-000366 + Establish a policy, at minimum, to prohibit administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Ensure the policy is enforced. -DEP: -Enable: ON +The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. + + + + Determine whether organization policy, at a minimum, prohibits administrative accounts from using applications that access the Internet, such as web browsers, or with potential Internet sources, such as email, except as necessary for local service administration. -ASLR: -ForceRelocateImages: ON +If it does not, this is a finding. -ImageLoad: -BlockRemoteImageLoads: ON +The organization may use technical means such as whitelisting to prevent the use of browsers and mail applications to enforce this requirement. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-00-000040 + Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. + <VulnDiscussion>Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions present on NTFS disk drives for backup and restore purposes. Members of the Backup Operators group must have separate logon accounts for performing backup duties.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93207 + SV-103295 + CCI-000366 + Ensure each member of the Backup Operators group has separate accounts for backup functions and standard user functions. + + + + If no accounts are members of the Backup Operators group, this is NA. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Verify users with accounts in the Backup Operators group have a separate user account for backup functions and for performing normal user tasks. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If users with accounts in the Backup Operators group do not have separate accounts for backup functions and standard user functions, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000210 - Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000060 + Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. + <VulnDiscussion>Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them to attack. If managed service accounts are used, this alleviates the need to manually change application account passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for OUTLOOK.EXE: + V-93209 + SV-103297 + CCI-000366 + Change passwords for manually managed application/service accounts at least annually or when an administrator with knowledge of the password leaves the organization. -DEP: -Enable: ON +It is recommended that system-managed service accounts be used whenever possible. + + + + Determine if manually managed application/service accounts exist. If none exist, this is NA. -ASLR: -ForceRelocateImages: ON +If passwords for manually managed application/service accounts are not changed at least annually or when an administrator with knowledge of the password leaves the organization, this is a finding. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Identify manually managed application/service accounts. -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +To determine the date a password was last changed: -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Domain controllers: -This is applicable to unclassified systems, for other systems this is NA. +Open "PowerShell". -Run "Windows PowerShell" with elevated privileges (run as administrator). +Enter "Get-AdUser -Identity [application account name] -Properties PasswordLastSet | FT Name, PasswordLastSet", where [application account name] is the name of the manually managed application/service account. -Enter "Get-ProcessMitigation -Name OUTLOOK.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +If the "PasswordLastSet" date is more than one year old, this is a finding. -If the following mitigations do not have a status of "ON", this is a finding: -DEP: -Enable: ON +Member servers and standalone systems: -ASLR: -ForceRelocateImages: ON +Open "Command Prompt". -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter 'Net User [application account name] | Find /i "Password Last Set"', where [application account name] is the name of the manually managed application/service account. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If the "Password Last Set" date is more than one year old, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000220 - Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000090 + Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. + <VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system requirements must be met in order for Credential Guard to be configured and enabled properly. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for plugin-container.exe: - -DEP: -Enable: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON + SV-103301 + V-93213 + CCI-000366 + Ensure domain-joined systems have a TPM that is configured for use. (Versions 2.0 or 1.2 support Credential Guard.) -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +The TPM must be enabled in the firmware. -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Run "tpm.msc" for configuration options in Windows. + + + + For standalone systems, this is NA. -This is applicable to unclassified systems, for other systems this is NA. +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Verify the system has a TPM and it is ready for use. -Enter "Get-ProcessMitigation -Name plugin-container.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Run "tpm.msc". -If the following mitigations do not have a status of "ON", this is a finding: +Review the sections in the center pane. -DEP: -Enable: ON +"Status" must indicate it has been configured with a message such as "The TPM is ready for use" or "The TPM is on and ownership has been taken". -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +TPM Manufacturer Information - Specific Version = 2.0 or 1.2 -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If a TPM is not found or is not ready for use, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000230 - Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000100 + Windows Server 2019 must be maintained at a supported servicing level. + <VulnDiscussion>Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems must be maintained at a servicing level supported by the vendor with new security updates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for POWERPNT.EXE: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name POWERPNT.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have a status of "ON", this is a finding: - -DEP: -Enable: ON + SV-103303 + V-93215 + CCI-000366 + Update the system to a Version 1809 (Build 17763.xxx) or greater. + + + + Open "Command Prompt". -ASLR: -ForceRelocateImages: ON +Enter "winver.exe". -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the "About Windows" dialog box does not display "Microsoft Windows Server Version 1809 (Build 17763.xxx)" or greater, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Preview versions must not be used in a production environment. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000240 - Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000110 + Windows Server 2019 must use an anti-virus program. + <VulnDiscussion>Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid in elimination of the software from the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for PPTVIEW.EXE: + SV-103305 + V-93217 + CCI-000366 + If no anti-virus software is in use, install Windows Defender or third-party anti-virus. -DEP: -Enable: ON +Open "PowerShell". -ASLR: -ForceRelocateImages: ON +Enter "Install-WindowsFeature -Name Windows-Defender”. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +For third-party anti-virus, install per anti-virus instructions and disable Windows Defender. -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Open "PowerShell". -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Enter "Uninstall-WindowsFeature -Name Windows-Defender”. + + + + + Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. -This is applicable to unclassified systems, for other systems this is NA. +If there is no anti-virus solution installed on the system, this is a finding. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Verify if Windows Defender is in use or enabled: -Enter "Get-ProcessMitigation -Name PPTVIEW.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Open "PowerShell". -If the following mitigations do not have a status of "ON", this is a finding: +Enter “get-service | where {$_.DisplayName -Like "*Defender*"} | Select Status,DisplayName” -DEP: -Enable: ON +Verify if third-party anti-virus is in use or enabled: -ASLR: -ForceRelocateImages: ON +Open "PowerShell". -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Enter "get-service | where {$_.DisplayName -Like "*mcafee*"} | Select Status,DisplayName” -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Enter "get-service | where {$_.DisplayName -Like "*symantec*"} | Select Status,DisplayName” + - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000250 - Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000120 + Windows Server 2019 must have a host-based intrusion detection or prevention system. + <VulnDiscussion>A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense against unauthorized access to critical servers. With proper configuration and logging enabled, such a system can stop and/or alert for many attempts to gain unauthorized access to resources.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 - - CCI-000366 - Ensure the following mitigations are turned "ON" for VISIO.EXE: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name VISIO.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) - -If the following mitigations do not have a status of "ON", this is a finding: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON + MS Windows Server 2019 + 2907 + + SV-103307 + V-93219 + CCI-000366 + Install a HIDS or HIPS on each server. + + + + Determine whether there is a HIDS or HIPS on each server. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If the HIPS component of HBSS is installed and active on the host and the alerts of blocked activity are being logged and monitored, this meets the requirement. + +A HIDS device is not required on a system that has the role as the Network Intrusion Device (NID). However, this exception needs to be documented with the ISSO. + +If a HIDS is not installed on the system, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000260 - Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000240 + Windows Server 2019 must have software certificate installation files removed. + <VulnDiscussion>Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for VPREVIEW.EXE: + V-93221 + SV-103309 + CCI-000366 + Remove any certificate installation files (*.p12 and *.pfx) found on a system. -DEP: -Enable: ON +Note: This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. + + + + Search all drives for *.p12 and *.pfx files. -ASLR: -ForceRelocateImages: ON +If any files with these extensions exist, this is a finding. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +This does not apply to server-based applications that have a requirement for .p12 certificate files or Adobe PreFlight certificate files. Some applications create files with extensions of .p12 that are not certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-00-000420 + Windows Server 2019 FTP servers must be configured to prevent anonymous logons. + <VulnDiscussion>The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult. -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. +Using accounts that have administrator privileges to log on to FTP risks that the userid and password will be captured on the network and give administrator access to an unauthorized user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93223 + SV-103311 + CCI-000366 + Configure the FTP service to prevent anonymous logons. -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Open "Internet Information Services (IIS) Manager". -This is applicable to unclassified systems, for other systems this is NA. +Select the server. -Run "Windows PowerShell" with elevated privileges (run as administrator). +Double-click "FTP Authentication". -Enter "Get-ProcessMitigation -Name VPREVIEW.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Select "Anonymous Authentication". -If the following mitigations do not have a status of "ON", this is a finding: +Select "Disabled" under "Actions". + + + + If FTP is not installed on the system, this is NA. -DEP: -Enable: ON +Open "Internet Information Services (IIS) Manager". -ASLR: -ForceRelocateImages: ON +Select the server. -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Double-click "FTP Authentication". -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If the "Anonymous Authentication" status is "Enabled", this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000270 - Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000430 + Windows Server 2019 FTP servers must be configured to prevent access to the system drive. + <VulnDiscussion>The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, especially if the user can gain access to the root directory of the boot drive.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for WINWORD.EXE: - -DEP: -Enable: ON - -ASLR: -ForceRelocateImages: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. - -This is applicable to unclassified systems, for other systems this is NA. - -Run "Windows PowerShell" with elevated privileges (run as administrator). - -Enter "Get-ProcessMitigation -Name WINWORD.EXE". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + V-93225 + SV-103313 + CCI-000366 + Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system. + + + + If FTP is not installed on the system, this is NA. -If the following mitigations do not have a status of "ON", this is a finding: +Open "Internet Information Services (IIS) Manager". -DEP: -Enable: ON +Select "Sites" under the server name. -ASLR: -ForceRelocateImages: ON +For any sites with a Binding that lists FTP, right-click the site and select "Explore". -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +If the site is not defined to a specific folder for shared FTP resources, this is a finding. -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000280 - Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-00-000460 + Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. + <VulnDiscussion>UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard. Systems with UEFI that are operating in "Legacy BIOS" mode will not support these security features.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for wmplayer.exe: - -DEP: -Enable: ON - -Payload: -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON - -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. + V-93229 + SV-103317 + CCI-000366 + Configure UEFI firmware to run in "UEFI" mode, not "Legacy BIOS" mode. + + + + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must run in "UEFI" mode. -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +Verify the system firmware is configured to run in "UEFI" mode, not "Legacy BIOS". -This is applicable to unclassified systems, for other systems this is NA. +Run "System Information". -Run "Windows PowerShell" with elevated privileges (run as administrator). +Under "System Summary", if "BIOS Mode" does not display "UEFI", this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-00-000470 + Windows Server 2019 must have Secure Boot enabled. + <VulnDiscussion>Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security features in Windows, including Virtualization Based Security and Credential Guard. If Secure Boot is turned off, these security features will not function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103319 + V-93231 + CCI-000366 + Enable Secure Boot in the system firmware. + + + + Some older systems may not have UEFI firmware. This is currently a CAT III; it will be raised in severity at a future date when broad support of Windows hardware and firmware requirements are expected to be met. Devices that have UEFI firmware must have Secure Boot enabled. -Enter "Get-ProcessMitigation -Name wmplayer.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Run "System Information". -If the following mitigations do not have a status of "ON", this is a finding: +Under "System Summary", if "Secure Boot State" does not display "On", this is a finding. -DEP: -Enable: ON +On server core installations, run the following PowerShell command: -Payload: -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Confirm-SecureBootUEFI -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +If a value of "True" is not returned, this is a finding. - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-EP-000290 - Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe. - <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000030 + Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. + <VulnDiscussion>Configuring the system to disable IPv6 source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure the following mitigations are turned "ON" for wordpad.exe: - -DEP: -Enable: ON - -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON + V-93233 + SV-103321 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. -Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - If the referenced application is not installed on the system, this is NA. +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -This is applicable to unclassified systems, for other systems this is NA. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ -Run "Windows PowerShell" with elevated privileges (run as administrator). +Value Name: DisableIPSourceRouting -Enter "Get-ProcessMitigation -Name wordpad.exe". -(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) +Type: REG_DWORD +Value: 0x00000002 (2) + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-CC-000040 + Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. + <VulnDiscussion>Configuring the system to disable IP source routing protects against spoofing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93235 + SV-103323 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" to "Enabled" with "Highest protection, source routing is completely disabled" selected. -If the following mitigations do not have a status of "ON", this is a finding: +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -DEP: -Enable: ON +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -Payload: -EnableExportAddressFilter: ON -EnableExportAddressFilterPlus: ON -EnableImportAddressFilter: ON -EnableRopStackPivot: ON -EnableRopCallerCheck: ON -EnableRopSimExec: ON +Value Name: DisableIPSourceRouting -The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. +Value Type: REG_DWORD +Value: 0x00000002 (2) - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000010 - Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. - <VulnDiscussion>Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session that has been granted full privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000050 + Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. + <VulnDiscussion>Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path first.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Ensure each user with administrative privileges has a separate account for user duties and one for privileged duties. - - - - Verify each user with administrative privileges has been assigned a unique administrative account separate from their standard user account. + V-93237 + SV-103325 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" to "Disabled". -If users with administrative privileges do not have separate accounts for administrative functions and standard user functions, this is a finding. +This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ + +Value Name: EnableICMPRedirect + +Value Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000368-GPOS-00154 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000210 - Windows Server 2019 Autoplay must be turned off for non-volume devices. - <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. This setting will disable AutoPlay for non-volume devices, such as Media Transfer Protocol (MTP) devices.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000070 + Windows Server 2019 insecure logons to an SMB server must be disabled. + <VulnDiscussion>Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001764 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Disallow Autoplay for non-volume devices" to "Enabled". - - - + SV-103327 + V-93239 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Lanman Workstation >> "Enable insecure guest logons" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\ -Value Name: NoAutoplayfornonVolume +Value Name: AllowInsecureGuestAuth Type: REG_DWORD -Value: 0x00000001 (1) +Value: 0x00000000 (0) - - SRG-OS-000368-GPOS-00154 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000220 - Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands. - <VulnDiscussion>Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000080 + Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. + <VulnDiscussion>Additional security requirements are applied to UNC paths specified in hardened UNC paths before allowing access to them. This aids in preventing tampering with or spoofing of connections to these paths.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001764 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Set the default behavior for AutoRun" to "Enabled" with "Do not execute any autorun commands" selected. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93241 + SV-103329 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Network >> Network Provider >> "Hardened UNC Paths" to "Enabled" with at least the following configured in "Hardened UNC Paths" (click the "Show" button to display): + +Value Name: \\*\SYSVOL +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + +Value Name: \\*\NETLOGON +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + + + + This requirement is applicable to domain-joined systems. For standalone systems, this is NA. + +If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\ -Value Name: NoAutorun +Value Name: \\*\NETLOGON +Value Type: REG_SZ +Value: RequireMutualAuthentication=1, RequireIntegrity=1 -Type: REG_DWORD -Value: 0x00000001 (1) +Value Name: \\*\SYSVOL +Value Type: REG_SZ +Value: RequireMutualAuthentication=1, RequireIntegrity=1 + +Additional entries would not be a finding. - - SRG-OS-000368-GPOS-00154 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000230 - Windows Server 2019 AutoPlay must be disabled for all drives. - <VulnDiscussion>Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. As a result, the setup file of programs or music on audio media may start. By default, AutoPlay is disabled on removable drives, such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Enabling this policy disables AutoPlay on all drives.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000100 + Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials. + <VulnDiscussion>An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Restricted Admin mode or Remote Credential Guard allow delegation of non-exportable credentials providing additional protection of the credentials. Enabling this configures the host to support Restricted Admin mode or Remote Credential Guard.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001764 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled" with "All Drives" selected. - - - + V-93243 + SV-103331 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Remote host allows delegation of non-exportable credentials" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\ -Value Name: NoDriveTypeAutoRun +Value Name: AllowProtectedCreds Type: REG_DWORD -Value: 0x000000ff (255) +Value: 0x00000001 (1) - - SRG-OS-000370-GPOS-00155 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000080 - Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. - <VulnDiscussion>Using a whitelist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. - -The organization must identify authorized software programs and only permit execution of authorized software. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000110 + Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. + <VulnDiscussion>Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001774 - Configure an application whitelisting program to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. + SV-103333 + V-93245 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. -Configuration of whitelisting applications will vary by the program. AppLocker is a whitelisting application built into Windows Server. +A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: -If AppLocker is used, it is configured through group policy in Computer Configuration >> Windows Settings >> Security Settings >> Application Control Policies >> AppLocker. +https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard + + + + For standalone systems, this is NA. -Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm - - - - This is applicable to unclassified systems. For other systems, this is NA. +Open "PowerShell" with elevated privileges (run as administrator). -Verify the operating system employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs. +Enter the following: -If an application whitelisting program is not in use on the system, this is a finding. +"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" -Configuration of whitelisting applications will vary by the program. +If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. -AppLocker is a whitelisting application built into Windows Server. A deny-by-default implementation is initiated by enabling any AppLocker rules within a category, only allowing what is specified by defined rules. +If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). -If AppLocker is used, perform the following to view the configuration of AppLocker: +If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. -Open "PowerShell". +Alternately: -If the AppLocker PowerShell module has not been imported previously, execute the following first: +Run "System Information". -Import-Module AppLocker +Under "System Summary", verify the following: -Execute the following command, substituting [c:\temp\file.xml] with a location and file name appropriate for the system: +If "Device Guard Virtualization based security" does not display "Running", this is a finding. -Get-AppLockerPolicy -Effective -XML > c:\temp\file.xml +If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is a finding. -This will produce an xml file with the effective settings that can be viewed in a browser or opened in a program such as Excel for review. +If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). -Implementation guidance for AppLocker is available in the NSA paper "Application Whitelisting using Microsoft AppLocker" at the following link: +The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. -https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ + +Value Name: EnableVirtualizationBasedSecurity +Value Type: REG_DWORD +Value: 0x00000001 (1) + +Value Name: RequirePlatformSecurityFeatures +Value Type: REG_DWORD +Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) + +A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: + +https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000270 - Windows Server 2019 must have the roles and features required by the system documented. - <VulnDiscussion>Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this potential. The standard installation option (previously called Server Core) further reduces this when selected at installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000130 + Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. + <VulnDiscussion>Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can limit allowed drivers based on classifications determined by the malware protection application. At a minimum, drivers determined to be bad must not be allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Document the roles and features required for the system to operate. Uninstall any that are not required. - - - - Required roles and features will vary based on the function of the individual system. + V-93249 + SV-103337 + CCI-000366 + The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). -Roles and features specifically required to be disabled per the STIG are identified in separate requirements. +If this needs to be corrected or a more secure setting is desired, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Not Configured" or "Enabled" with any option other than "All" selected. + + + + The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but critical" (preventing "bad"). -If the organization has not documented the roles and features required for the system(s), this is a finding. +If the registry value name below does not exist, this is not a finding. -The PowerShell command "Get-WindowsFeature" will list all roles and features with an "Install State". +If it exists and is configured with a value of "0x00000007 (7)", this is a finding. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\ + +Value Name: DriverLoadPolicy + +Value Type: REG_DWORD +Value: 0x00000001 (1), 0x00000003 (3), or 0x00000008 (8) (or if the Value Name does not exist) + +Possible values for this setting are: +8 - Good only +1 - Good and unknown +3 - Good, unknown and bad but critical +7 - All (which includes "bad" and would be a finding) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000320 - Windows Server 2019 must not have the Fax Server role installed. - <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000140 + Windows Server 2019 group policy objects must be reprocessed even if they have not changed. + <VulnDiscussion>Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or by a malicious process on a compromised system. Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures the policies will be reprocessed even if none have been changed. This way, any unauthorized changes are forced to match the domain-based group policy settings again.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Uninstall the "Fax Server" role. - -Start "Server Manager". - -Select the server with the role. - -Scroll down to "ROLES AND FEATURES" in the right pane. - -Select "Remove Roles and Features" from the drop-down "TASKS" list. - -Select the appropriate server on the "Server Selection" page and click "Next". - -Deselect "Fax Server" on the "Roles" page. - -Click "Next" and "Remove" as prompted. - - - - Open "PowerShell". + V-93251 + SV-103339 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Group Policy >> "Configure registry policy processing" to "Enabled" with the option "Process even if the Group Policy objects have not changed" selected. + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Enter "Get-WindowsFeature | Where Name -eq Fax". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ -If "Installed State" is "Installed", this is a finding. +Value Name: NoGPOListChanges -An Installed State of "Available" or "Removed" is not a finding. +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000340 - Windows Server 2019 must not have the Peer Name Resolution Protocol installed. - <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000180 + Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery). + <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (on battery).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Uninstall the "Peer Name Resolution Protocol" feature. - -Start "Server Manager". - -Select the server with the feature. - -Scroll down to "ROLES AND FEATURES" in the right pane. - -Select "Remove Roles and Features" from the drop-down "TASKS" list. - -Select the appropriate server on the "Server Selection" page and click "Next". - -Deselect "Peer Name Resolution Protocol" on the "Features" page. - -Click "Next" and "Remove" as prompted. - - - - Open "PowerShell". + SV-103341 + V-93253 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (on battery)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Enter "Get-WindowsFeature | Where Name -eq PNRP". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ -If "Installed State" is "Installed", this is a finding. +Value Name: DCSettingIndex -An Installed State of "Available" or "Removed" is not a finding. +Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000350 - Windows Server 2019 must not have Simple TCP/IP Services installed. - <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000190 + Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in). + <VulnDiscussion>A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be required when accessing a system. This setting ensures users are prompted for a password when the system wakes from sleep (plugged in).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Uninstall the "Simple TCP/IP Services" feature. - -Start "Server Manager". - -Select the server with the feature. - -Scroll down to "ROLES AND FEATURES" in the right pane. - -Select "Remove Roles and Features" from the drop-down "TASKS" list. + SV-103343 + V-93255 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Power Management >> Sleep Settings >> "Require a password when a computer wakes (plugged in)" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Select the appropriate server on the "Server Selection" page and click "Next". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ -Deselect "Simple TCP/IP Services" on the "Features" page. +Value Name: ACSettingIndex -Click "Next" and "Remove" as prompted. - - - - Open "PowerShell". +Type: REG_DWORD +Value: 0x00000001 (1) + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-CC-000250 + Windows Server 2019 Telemetry must be configured to Security or Basic. + <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability will prevent potentially sensitive information from being sent outside the enterprise. The "Security" option for Telemetry configures the lowest amount of data, effectively none outside of the Malicious Software Removal Tool (MSRT), Defender, and telemetry client settings. "Basic" sends basic diagnostic and usage data and may be required to support some Microsoft services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93257 + SV-103345 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Data Collection and Preview Builds>> "Allow Telemetry" to "Enabled" with "0 - Security [Enterprise Only]" or "1 - Basic" selected in "Options". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Enter "Get-WindowsFeature | Where Name -eq Simple-TCPIP". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DataCollection\ -If "Installed State" is "Installed", this is a finding. +Value Name: AllowTelemetry -An Installed State of "Available" or "Removed" is not a finding. +Type: REG_DWORD +Value: 0x00000000 (0) (Security), 0x00000001 (1) (Basic) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000370 - Windows Server 2019 must not have the TFTP Client installed. - <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000260 + Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet. + <VulnDiscussion>Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs on the local network as well as on the Internet. This is part of the Windows Update trusted process, however to minimize outside exposure, obtaining updates from or sending to systems on the Internet must be prevented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Uninstall the "TFTP Client" feature. - -Start "Server Manager". - -Select the server with the feature. - -Scroll down to "ROLES AND FEATURES" in the right pane. + V-93259 + SV-103347 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Delivery Optimization >> "Download Mode" to "Enabled" with any option except "Internet" selected. -Select "Remove Roles and Features" from the drop-down "TASKS" list. - -Select the appropriate server on the "Server Selection" page and click "Next". +Acceptable selections include: -Deselect "TFTP Client" on the "Features" page. +Bypass (100) +Group (2) +HTTP only (0) +LAN (1) +Simple (99) + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Click "Next" and "Remove" as prompted. - - - - Open "PowerShell". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\ -Enter "Get-WindowsFeature | Where Name -eq TFTP-Client". +Value Name: DODownloadMode -If "Installed State" is "Installed", this is a finding. +Value Type: REG_DWORD +Value: 0x00000000 (0) - No peering (HTTP Only) +0x00000001 (1) - Peers on same NAT only (LAN) +0x00000002 (2) - Local Network / Private group peering (Group) +0x00000063 (99) - Simple download mode, no peering (Simple) +0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass) -An Installed State of "Available" or "Removed" is not a finding. +A value of 0x00000003 (3), Internet, is a finding. - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000380 - Windows Server 2019 must not the Server Message Block (SMB) v1 protocol installed. - <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks and is not FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000320 + Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled. + <VulnDiscussion>Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Uninstall the SMBv1 protocol. + V-93261 + SV-103349 + CCI-000366 + The default behavior is for File Explorer heap termination on corruption to be disabled. -Open "Windows PowerShell" with elevated privileges (run as administrator). +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off heap termination on corruption" to "Not Configured" or "Disabled". + + + + The default behavior is for File Explorer heap termination on corruption to be enabled. -Enter "Uninstall-WindowsFeature -Name FS-SMB1 -Restart". -(Omit the Restart parameter if an immediate restart of the system cannot be done.) +If the registry Value Name below does not exist, this is not a finding. -Alternately: +If it exists and is configured with a value of "0", this is not a finding. -Start "Server Manager". +If it exists and is configured with a value of "1", this is a finding. -Select the server with the feature. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ -Scroll down to "ROLES AND FEATURES" in the right pane. +Value Name: NoHeapTerminationOnCorruption -Select "Remove Roles and Features" from the drop-down "TASKS" list. +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-CC-000330 + Windows Server 2019 File Explorer shell protocol must run in protected mode. + <VulnDiscussion>The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a limited set of folders increases the security of Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103351 + V-93263 + CCI-000366 + The default behavior is for shell protected mode to be turned on for File Explorer. -Select the appropriate server on the "Server Selection" page and click "Next". +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off shell protocol protected mode" to "Not Configured" or "Disabled". + + + + The default behavior is for shell protected mode to be turned on for File Explorer. -Deselect "SMB 1.0/CIFS File Sharing Support" on the "Features" page. +If the registry value name below does not exist, this is not a finding. -Click "Next" and "Remove" as prompted. - - - - Different methods are available to disable SMBv1 on Windows Server 2019. This is the preferred method, however if WN19-00-000390 and WN19-00-000400 are configured, this is NA. +If it exists and is configured with a value of "0", this is not a finding. -Open "Windows PowerShell" with elevated privileges (run as administrator). +If it exists and is configured with a value of "1", this is a finding. -Enter "Get-WindowsFeature -Name FS-SMB1". +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ -If "Installed State" is "Installed", this is a finding. +Value Name: PreXPSP2ShellProtocolBehavior -An Installed State of "Available" or "Removed" is not a finding. +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000390 - Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. - <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000390 + Windows Server 2019 must prevent attachments from being downloaded from RSS feeds. + <VulnDiscussion>Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 Server" to "Disabled". - -The system must be restarted for the change to take effect. - -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA. - -If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103353 + V-93265 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Prevent downloading of enclosures" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ +Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ -Value Name: SMB1 +Value Name: DisableEnclosureDownload Type: REG_DWORD -Value: 0x00000000 (0) +Value: 0x00000001 (1) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000400 - Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. - <VulnDiscussion>SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000440 + Windows Server 2019 users must be notified if a web-based program attempts to install software. + <VulnDiscussion>Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Configure SMBv1 client driver" to "Enabled" with "Disable driver (recommended)" selected for "Configure MrxSmb10 driver". + V-93267 + SV-103355 + CCI-000366 + The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. -The system must be restarted for the changes to take effect. +If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Installer >> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Not Configured" or "Disabled". + + + + The default behavior is for Internet Explorer to warn users and select whether to allow or refuse installation when a web-based program attempts to install software on the system. -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and "SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - Different methods are available to disable SMBv1 on Windows Server 2019, if WN19-00-000380 is configured, this is NA. +If the registry value name below does not exist, this is not a finding. -If the following registry value is not configured as specified, this is a finding: +If it exists and is configured with a value of "0", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\mrxsmb10\ +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Installer\ -Value Name: Start +Value Name: SafeForScripting -Type: REG_DWORD -Value: 0x00000004 (4) +Value Type: REG_DWORD +Value: 0x00000000 (0) (or if the Value Name does not exist) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000410 - Windows Server 2019 must not have Windows PowerShell 2.0 installed. - <VulnDiscussion>Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.x script block logging feature.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000010 + Windows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on. + <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Data Execution Prevention (DEP)", are enabled by default at the system level. DEP prevents code from being run from data-only memory pages. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Uninstall the "Windows PowerShell 2.0 Engine". - -Start "Server Manager". + V-93313 + SV-103401 + CCI-000366 + Ensure Exploit Protection system-level mitigation, "Data Execution Prevention (DEP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. -Select the server with the feature. +Open "Windows Defender Security Center". -Scroll down to "ROLES AND FEATURES" in the right pane. +Select "App & browser control". -Select "Remove Roles and Features" from the drop-down "TASKS" list. +Select "Exploit protection settings". -Select the appropriate server on the "Server Selection" page and click "Next". +Under "System settings", configure "Data Execution Prevention (DEP)" to "On by default" or "Use default (<On>)". -Deselect "Windows PowerShell 2.0 Engine" under "Windows PowerShell" on the "Features" page. +The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn DEP on (other system level EP requirements can be combined under <SystemConfig>): -Click "Next" and "Remove" as prompted. - - - - Open "PowerShell". +<SystemConfig> + <DEP Enable="true"></DEP> +</SystemConfig> -Enter "Get-WindowsFeature | Where Name -eq PowerShell-v2". +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + This is applicable to unclassified systems, for other systems this is NA. -If "Installed State" is "Installed", this is a finding. +The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". -An Installed State of "Available" or "Removed" is not a finding. - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN19-CC-000010 - Windows Server 2019 must prevent the display of slide shows on the lock screen. - <VulnDiscussion>Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged-on user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Control Panel >> Personalization >> "Prevent enabling lock screen slide show" to "Enabled". - - - - Verify the registry value below. +Run "Windows PowerShell" with elevated privileges (run as administrator). -If it does not exist or is not configured as specified, this is a finding. +Enter "Get-ProcessMitigation -System". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Personalization\ +If the status of "DEP: Enable" is "OFF", this is a finding. -Value Name: NoLockScreenSlideshow +Values that would not be a finding include: -Value Type: REG_DWORD -Value: 0x00000001 (1) +ON +NOTSET (Default configuration) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000020 - Windows Server 2019 must have WDigest Authentication disabled. - <VulnDiscussion>When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposing them to theft. WDigest is disabled by default in Windows Server 2019. This setting ensures this is enforced.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000030 + Windows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on. + <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Control flow guard (CFG)", are enabled by default at the system level. CFG ensures flow integrity for indirect calls. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "WDigest Authentication (disabling may require KB2871997)" to "Disabled". + V-93315 + SV-103403 + CCI-000366 + Ensure Exploit Protection system-level mitigation, "Control flow guard (CFG)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Open "Windows Defender Security Center". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\ +Select "App & browser control". -Value Name: UseLogonCredential +Select "Exploit protection settings". -Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN19-CC-000150 - Windows Server 2019 downloading print driver packages over HTTP must be turned off. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +Under "System settings", configure "Control flow guard (CFG)" to "On by default" or "Use default (<On>)". -This setting prevents the computer from downloading print driver packages over HTTP.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off downloading of print drivers over HTTP" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn CFG on (other system level EP requirements can be combined under <SystemConfig>): -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ +<SystemConfig> + <ControlFlowGuard Enable="true"></ControlFlowGuard> +</SystemConfig> -Value Name: DisableWebPnPDownload +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + This is applicable to unclassified systems, for other systems this is NA. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN19-CC-000160 - Windows Server 2019 printing over HTTP must be turned off. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". + +Run "Windows PowerShell" with elevated privileges (run as administrator). -This setting prevents the client computer from printing over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Internet Communication Management >> Internet Communication settings >> "Turn off printing over HTTP" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Enter "Get-ProcessMitigation -System". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Printers\ +If the status of "CFG: Enable" is "OFF", this is a finding. -Value Name: DisableHTTPPrinting +Values that would not be a finding include: -Type: REG_DWORD -Value: 0x00000001 (1) +ON +NOTSET (Default configuration) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000170 - Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen. - <VulnDiscussion>Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000040 + Windows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on. + <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate exception chains (SEHOP)", are enabled by default at the system level. SEHOP (structured exception handling overwrite protection) ensures the integrity of an exception chain during exception dispatch. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Do not display network selection UI" to "Enabled". - - - - Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. + V-93317 + SV-103405 + CCI-000366 + Ensure Exploit Protection system-level mitigation, "Validate exception chains (SEHOP)", is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ +Open "Windows Defender Security Center". -Value Name: DontDisplayNetworkSelectionUI +Select "App & browser control". -Value Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000095-GPOS-00049 - <GroupDescription></GroupDescription> - - WN19-CC-000200 - Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. - <VulnDiscussion>Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. +Select "Exploit protection settings". -This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Application Compatibility >> "Turn off Inventory Collector" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Under "System settings", configure "Validate exception chains (SEHOP)" to "On by default" or "Use default (<On>)". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\AppCompat\ +The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn SEHOP on (other system level EP requirements can be combined under <SystemConfig>): -Value Name: DisableInventory +<SystemConfig> + <SEHOP Enable="true"></SEHOP> +</SystemConfig> -Type: REG_DWORD -Value: 0x00000001 (1) +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + This is applicable to unclassified systems, for other systems this is NA. + +The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -System". + +If the status of "SEHOP: Enable" is "OFF", this is a finding. + +Values that would not be a finding include: + +ON +NOTSET (Default configuration) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000300 - Windows Server 2019 Windows Defender SmartScreen must be enabled. - <VulnDiscussion>Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block potentially malicious programs or warn users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000050 + Windows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on. + <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Validate heap integrity", are enabled by default at the system level. "Validate heap integrity" terminates a process when heap corruption is detected. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Configure Windows Defender SmartScreen" to "Enabled" with either option "Warn" or "Warn and prevent bypass" selected. + V-93319 + SV-103407 + CCI-000366 + Ensure Exploit Protection system-level mitigation, "Validate heap integrity" is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. -Windows 2019 includes duplicate policies for this setting. It can also be configured under Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer. - - - - This is applicable to unclassified systems; for other systems, this is NA. +Open "Windows Defender Security Center". -If the following registry value does not exist or is not configured as specified, this is a finding: +Select "App & browser control". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ +Select "Exploit protection settings". -Value Name: EnableSmartScreen +Under "System settings", configure "Validate heap integrity" to "On by default" or "Use default (<On>)". -Value Type: REG_DWORD -Value: 0x00000001 (1) +The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Validate heap integrity on (other system level EP requirements can be combined under <SystemConfig>): + +<SystemConfig> + <Heap TerminateOnError="true"></Heap> +</SystemConfig> + +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + This is applicable to unclassified systems, for other systems this is NA. + +The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -System". + +If the status of "Heap: TerminateOnError" is "OFF", this is a finding. + +Values that would not be a finding include: + +ON +NOTSET (Default configuration) - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000400 - Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP. - <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000060 + Windows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. + SV-103409 + V-93321 + CCI-000366 + Ensure the following mitigations are turned "ON" for Acrobat.exe: -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> RSS Feeds >> "Turn on Basic feed authentication over HTTP" to "Not Configured" or "Disabled". - - - - The default behavior is for the Windows RSS platform to not use Basic authentication over HTTP connections. +DEP: +Enable: ON -If the registry value name below does not exist, this is not a finding. +ASLR: +BottomUp: ON +ForceRelocateImages: ON -If it exists and is configured with a value of "0", this is not a finding. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -If it exists and is configured with a value of "1", this is a finding. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\ +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Value Name: AllowBasicAuthInClear +This is applicable to unclassified systems, for other systems this is NA. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name Acrobat.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON + +ASLR: +BottomUp: ON +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000410 - Windows Server 2019 must prevent Indexing of encrypted files. - <VulnDiscussion>Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000070 + Windows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Search >> "Allow indexing of encrypted files" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103411 + V-93323 + CCI-000366 + Ensure the following mitigations are turned "ON" for AcroRd32.exe: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Windows Search\ +DEP: +Enable: ON -Value Name: AllowIndexingEncryptedStoresOrItems +ASLR: +BottomUp: ON +ForceRelocateImages: ON -Value Type: REG_DWORD -Value: 0x00000000 (0) +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. + +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name AcroRd32.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON + +ASLR: +BottomUp: ON +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000095-GPOS-00049 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-MS-000030 - Windows Server 2019 local users on domain-joined member servers must not be enumerated. - <VulnDiscussion>The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000080 + Windows Server 2019 Exploit Protection mitigations must be configured for chrome.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000381 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Logon >> "Enumerate local users on domain-joined computers" to "Disabled". - - - - This applies to member servers. For domain controllers and standalone systems, this is NA. + SV-103413 + V-93325 + CCI-000366 + Ensure the following mitigations are turned "ON" for chrome.exe: -If the following registry value does not exist or is not configured as specified, this is a finding: +DEP: +Enable: ON -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\System\ +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Value Name: EnumerateLocalUsers +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name chrome.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON -Type: REG_DWORD -Value: 0x00000000 (0) +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000096-GPOS-00050 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000330 - Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization. - <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000090 + Windows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000382 - Uninstall the "FTP Server" role. + SV-103415 + V-93327 + CCI-000366 + Ensure the following mitigations are turned "ON" for EXCEL.EXE: -Start "Server Manager". +DEP: +Enable: ON -Select the server with the role. +ASLR: +ForceRelocateImages: ON -Scroll down to "ROLES AND FEATURES" in the right pane. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Select "Remove Roles and Features" from the drop-down "TASKS" list. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Select the appropriate server on the "Server Selection" page and click "Next". +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Deselect "FTP Server" under "Web Server (IIS)" on the "Roles" page. +This is applicable to unclassified systems, for other systems this is NA. -Click "Next" and "Remove" as prompted. - - - - If the server has the role of an FTP server, this is NA. +Run "Windows PowerShell" with elevated privileges (run as administrator). -Open "PowerShell". +Enter "Get-ProcessMitigation -Name EXCEL.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Enter "Get-WindowsFeature | Where Name -eq Web-Ftp-Service". +If the following mitigations do not have a status of "ON", this is a finding: -If "Installed State" is "Installed", this is a finding. +DEP: +Enable: ON -An Installed State of "Available" or "Removed" is not a finding. +ASLR: +ForceRelocateImages: ON -If the system has the role of an FTP server, this must be documented with the ISSO. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000096-GPOS-00050 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000360 - Windows Server 2019 must not have the Telnet Client installed. - <VulnDiscussion>Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption or may provide unauthorized access to the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000100 + Windows Server 2019 Exploit Protection mitigations must be configured for firefox.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000382 - Uninstall the "Telnet Client" feature. + SV-103417 + V-93329 + CCI-000366 + Ensure the following mitigations are turned "ON" for firefox.exe: -Start "Server Manager". +DEP: +Enable: ON -Select the server with the feature. +ASLR: +BottomUp: ON +ForceRelocateImages: ON -Scroll down to "ROLES AND FEATURES" in the right pane. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Select "Remove Roles and Features" from the drop-down "TASKS" list. +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Select the appropriate server on the "Server Selection" page and click "Next". +This is applicable to unclassified systems, for other systems this is NA. -Deselect "Telnet Client" on the "Features" page. +Run "Windows PowerShell" with elevated privileges (run as administrator). -Click "Next" and "Remove" as prompted. - - - - Open "PowerShell". +Enter "Get-ProcessMitigation -Name firefox.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Enter "Get-WindowsFeature | Where Name -eq Telnet-Client". +If the following mitigations do not have a status of "ON", this is a finding: -If "Installed State" is "Installed", this is a finding. +DEP: +Enable: ON -An Installed State of "Available" or "Removed" is not a finding. +ASLR: +BottomUp: ON +ForceRelocateImages: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000373-GPOS-00157 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000340 - Windows Server 2019 must not save passwords in the Remote Desktop Client. - <VulnDiscussion>Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system must be configured to prevent users from saving passwords in the Remote Desktop Client. - -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000110 + Windows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002038 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Connection Client >> "Do not allow passwords to be saved" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93331 + SV-103419 + CCI-000366 + Ensure the following mitigations are turned "ON" for FLTLDR.EXE: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +DEP: +Enable: ON -Value Name: DisablePasswordSaving +ImageLoad: +BlockRemoteImageLoads: ON -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000373-GPOS-00157 - <GroupDescription></GroupDescription> - - WN19-CC-000360 - Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection. - <VulnDiscussion>This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in a connection item to connect to the terminal server. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-002038 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Security >> "Always prompt for password upon connection" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Child Process: +DisallowChildProcessCreation: ON -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Value Name: fPromptForPassword +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000373-GPOS-00157 - <GroupDescription></GroupDescription> - - WN19-CC-000520 - Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials. - <VulnDiscussion>Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will prevent them from being used with plug-ins. +This is applicable to unclassified systems, for other systems this is NA. -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-002038 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Disallow WinRM from storing RunAs credentials" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Run "Windows PowerShell" with elevated privileges (run as administrator). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ +Enter "Get-ProcessMitigation -Name FLTLDR.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Value Name: DisableRunAs +If the following mitigations do not have a status of "ON", this is a finding: -Type: REG_DWORD -Value: 0x00000001 (1) +DEP: +Enable: ON + +ImageLoad: +BlockRemoteImageLoads: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Child Process: +DisallowChildProcessCreation: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000373-GPOS-00157 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000380 - Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled. - <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the built-in Administrator account so that it runs in Admin Approval Mode. - -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000120 + Windows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002038 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). + V-93333 + SV-103421 + CCI-000366 + Ensure the following mitigations are turned "ON" for GROOVE.EXE: -If the following registry value does not exist or is not configured as specified, this is a finding: +DEP: +Enable: ON -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +ASLR: +ForceRelocateImages: ON -Value Name: FilterAdministratorToken +ImageLoad: +BlockRemoteImageLoads: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Child Process: +DisallowChildProcessCreation: ON + +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. + +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name GROOVE.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON + +ASLR: +ForceRelocateImages: ON + +ImageLoad: +BlockRemoteImageLoads: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Child Process: +DisallowChildProcessCreation: ON -Value Type: REG_DWORD -Value: 0x00000001 (1) +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000373-GPOS-00157 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000410 - Windows Server 2019 User Account Control must automatically deny standard user requests for elevation. - <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the behavior of elevation when requested by a standard user account. - -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000130 + Windows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002038 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). + V-93335 + SV-103423 + CCI-000366 + Ensure the following mitigations are turned "ON" for iexplore.exe: -If the following registry value does not exist or is not configured as specified, this is a finding: +DEP: +Enable: ON -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +ASLR: +BottomUp: ON +ForceRelocateImages: ON -Value Name: ConsentPromptBehaviorUser +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Value Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000373-GPOS-00157 - <GroupDescription></GroupDescription> - - WN19-SO-000440 - Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. - <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Satisfies: SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00156</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-002038 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -If the following registry value does not exist or is not configured as specified, this is a finding: +This is applicable to unclassified systems, for other systems this is NA. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Run "Windows PowerShell" with elevated privileges (run as administrator). -Value Name: EnableLUA +Enter "Get-ProcessMitigation -Name iexplore.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Value Type: REG_DWORD -Value: 0x00000001 (1) - - - - - SRG-OS-000104-GPOS-00051 - <GroupDescription></GroupDescription> - - WN19-00-000070 - Windows Server 2019 shared user accounts must not be permitted. - <VulnDiscussion>Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication. There is no way to provide for nonrepudiation or individual accountability for system access and resource usage.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000764 - Remove unapproved shared accounts from the system. +If the following mitigations do not have a status of "ON", this is a finding: -Document required shared accounts with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. - - - - Determine whether any shared accounts exist. If no shared accounts exist, this is NA. +DEP: +Enable: ON -Shared accounts, such as required by an application, may be approved by the organization. This must be documented with the ISSO. Documentation must include the reason for the account, who has access to the account, and how the risk of using the shared account is mitigated to include monitoring account activity. +ASLR: +BottomUp: ON +ForceRelocateImages: ON -If unapproved shared accounts exist, this is a finding. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000104-GPOS-00051 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000200 - Windows Server 2019 accounts must require passwords. - <VulnDiscussion>The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromise the system as well as other resources. Accounts on a system must require passwords.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000140 + Windows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000764 - Configure all enabled accounts to require passwords. + V-93337 + SV-103425 + CCI-000366 + Ensure the following mitigations are turned "ON" for INFOPATH.EXE: -The password required flag can be set by entering the following on a command line: "Net user [username] /passwordreq:yes", substituting [username] with the name of the user account. - - - - Review the password required status for enabled user accounts. +DEP: +Enable: ON -Open "PowerShell". +ASLR: +ForceRelocateImages: ON -Domain Controllers: +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Enter "Get-Aduser -Filter * -Properties Passwordnotrequired |FT Name, Passwordnotrequired, Enabled". +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Exclude disabled accounts (e.g., DefaultAccount, Guest) and Trusted Domain Objects (TDOs). +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -If "Passwordnotrequired" is "True" or blank for any enabled user account, this is a finding. +This is applicable to unclassified systems, for other systems this is NA. -Member servers and standalone systems: +Run "Windows PowerShell" with elevated privileges (run as administrator). -Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordRequired=False and LocalAccount=True" | FT Name, PasswordRequired, Disabled, LocalAccount'. +Enter "Get-ProcessMitigation -Name INFOPATH.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Exclude disabled accounts (e.g., DefaultAccount, Guest). +If the following mitigations do not have a status of "ON", this is a finding: -If any enabled user accounts are returned with a "PasswordRequired" status of "False", this is a finding. +DEP: +Enable: ON + +ASLR: +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000379-GPOS-00164 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-MS-000040 - Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems. - <VulnDiscussion>Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC server will prevent anonymous connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000150 + Windows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001967 - Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Procedure Call >> "Restrict Unauthenticated RPC clients" to "Enabled" with "Authenticated" selected. - - - - This applies to member servers and standalone systems, it is NA for domain controllers. + V-93339 + SV-103427 + CCI-000366 + Ensure the following mitigations are turned "ON" for java.exe, javaw.exe, and javaws.exe: -If the following registry value does not exist or is not configured as specified, this is a finding: +DEP: +Enable: ON -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Rpc\ +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Value Name: RestrictRemoteClients +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Type: REG_DWORD -Value: 0x00000001 (1) +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name [application name]" with each of the following substituted for [application name]: +java.exe, javaw.exe, and javaws.exe +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON" for each, this is a finding: + +DEP: +Enable: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000379-GPOS-00164 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000090 - Windows Server 2019 computer account password must not be prevented from being reset. - <VulnDiscussion>Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for the system. A new password for the computer account will be generated every 30 days.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000160 + Windows Server 2019 Exploit Protection mitigations must be configured for lync.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001967 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Disable machine account password changes" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103429 + V-93341 + CCI-000366 + Ensure the following mitigations are turned "ON" for lync.exe: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +DEP: +Enable: ON -Value Name: DisablePasswordChange +ASLR: +ForceRelocateImages: ON -Value Type: REG_DWORD -Value: 0x00000000 (0) +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. + +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name lync.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON + +ASLR: +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000118-GPOS-00060 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000190 - Windows Server 2019 outdated or unused accounts must be removed or disabled. - <VulnDiscussion>Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still required, disabled until needed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000170 + Windows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000795 - Regularly review accounts to determine if they are still active. Remove or disable accounts that have not been used in the last 35 days. - - - - Open "Windows PowerShell". + SV-103431 + V-93343 + CCI-000366 + Ensure the following mitigations are turned "ON" for MSACCESS.EXE: -Domain Controllers: +DEP: +Enable: ON -Enter "Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00" +ASLR: +ForceRelocateImages: ON -This will return accounts that have not been logged on to for 35 days, along with various attributes such as the Enabled status and LastLogonDate. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Member servers and standalone systems: +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Copy or enter the lines below to the PowerShell window and enter. (Entering twice may be required. Do not include the quotes at the beginning and end of the query.) +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -"([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { $_.SchemaClassName -eq 'user' } | ForEach { - $user = ([ADSI]$_.Path) - $lastLogin = $user.Properties.LastLogin.Value - $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 - if ($lastLogin -eq $null) { - $lastLogin = 'Never' - } - Write-Host $user.Name $lastLogin $enabled -}" +This is applicable to unclassified systems, for other systems this is NA. -This will return a list of local accounts with the account name, last logon, and if the account is enabled (True/False). -For example: User1 10/31/2015 5:49:56 AM True +Run "Windows PowerShell" with elevated privileges (run as administrator). -Review the list of accounts returned by the above queries to determine the finding validity for each account reported. +Enter "Get-ProcessMitigation -Name MSACCESS.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Exclude the following accounts: +If the following mitigations do not have a status of "ON", this is a finding: -- Built-in administrator account (Renamed, SID ending in 500) -- Built-in guest account (Renamed, Disabled, SID ending in 501) -- Application accounts +DEP: +Enable: ON -If any enabled accounts have not been logged on to within the past 35 days, this is a finding. +ASLR: +ForceRelocateImages: ON -Inactive accounts that have been reviewed and deemed to be required must be documented with the ISSO. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000078-GPOS-00046 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000050 - Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. - <VulnDiscussion>Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually managed must have passwords at least 15 characters in length.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000180 + Windows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000205 - Establish a policy that requires application/service account passwords that are manually managed to be at least 15 characters in length. Ensure the policy is enforced. - - - - Determine if manually managed application/service accounts exist. If none exist, this is NA. + SV-103433 + V-93345 + CCI-000366 + Ensure the following mitigations are turned "ON" for MSPUB.EXE: -Verify the organization has a policy to ensure passwords for manually managed application/service accounts are at least 15 characters in length. +DEP: +Enable: ON -If such a policy does not exist or has not been implemented, this is a finding. +ASLR: +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. + +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name MSPUB.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON + +ASLR: +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000073-GPOS-00041 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000300 - Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords. - <VulnDiscussion>The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This setting controls whether a LAN Manager hash of the password is stored in the SAM the next time the password is changed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000190 + Windows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000196 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Do not store LAN Manager hash value on next password change" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93347 + SV-103435 + CCI-000366 + Ensure the following mitigations are turned "ON" for OIS.EXE: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ +DEP: +Enable: ON -Value Name: NoLMHash +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Value Type: REG_DWORD -Value: 0x00000001 (1) +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. + +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. + +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name OIS.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000074-GPOS-00042 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000180 - Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. - <VulnDiscussion>Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when authenticating to an SMB server reduces the overall security of the environment. Check with the vendor of the SMB server to determine if there is a way to support encrypted password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000200 + Windows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000197 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93349 + SV-103437 + CCI-000366 + Ensure the following mitigations are turned "ON" for OneDrive.exe: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ +DEP: +Enable: ON -Value Name: EnablePlainTextPassword +ASLR: +ForceRelocateImages: ON -Value Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000076-GPOS-00044 - <GroupDescription></GroupDescription> - - WN19-00-000020 - Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days. - <VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator account is not generally used and its password not may be changed as frequently as necessary. Changing the password for the built-in Administrator account on a regular basis will limit its exposure. +ImageLoad: +BlockRemoteImageLoads: ON -Organizations that use an automated tool, such Microsoft's Local Administrator Password Solution (LAPS), on domain-joined systems can configure this to occur more frequently. LAPS will change the password every "30" days by default.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000199 - Change the built-in Administrator account password at least every "60" days. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Automated tools, such as Microsoft's LAPS, may be used on domain-joined member servers to accomplish this. - - - - Review the password last set date for the built-in Administrator account. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Domain controllers: +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Open "PowerShell". +This is applicable to unclassified systems, for other systems this is NA. -Enter "Get-ADUser -Filter * -Properties SID, PasswordLastSet | Where SID -Like "*-500" | Ft Name, SID, PasswordLastSet". +Run "Windows PowerShell" with elevated privileges (run as administrator). -If the "PasswordLastSet" date is greater than "60" days old, this is a finding. +Enter "Get-ProcessMitigation -Name OneDrive.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Member servers and standalone systems: +If the following mitigations do not have a status of "ON", this is a finding: -Open "Command Prompt". +DEP: +Enable: ON -Enter 'Net User [account name] | Find /i "Password Last Set"', where [account name] is the name of the built-in administrator account. +ASLR: +ForceRelocateImages: ON -(The name of the built-in Administrator account must be changed to something other than "Administrator" per STIG requirements.) +ImageLoad: +BlockRemoteImageLoads: ON -If the "PasswordLastSet" date is greater than "60" days old, this is a finding. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000076-GPOS-00044 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000210 - Windows Server 2019 passwords must be configured to expire. - <VulnDiscussion>Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000210 + Windows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000199 - Configure all enabled user account passwords to expire. + V-93351 + SV-103439 + CCI-000366 + Ensure the following mitigations are turned "ON" for OUTLOOK.EXE: -Uncheck "Password never expires" for all enabled user accounts in Active Directory Users and Computers for domain accounts and Users in Computer Management for member servers and standalone systems. Document any exceptions with the ISSO. - - - - Review the password never expires status for enabled user accounts. +DEP: +Enable: ON + +ASLR: +ForceRelocateImages: ON + +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Open "PowerShell". +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Domain Controllers: +This is applicable to unclassified systems, for other systems this is NA. -Enter "Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled". +Run "Windows PowerShell" with elevated privileges (run as administrator). -Exclude application accounts, disabled accounts (e.g., DefaultAccount, Guest) and the krbtgt account. +Enter "Get-ProcessMitigation -Name OUTLOOK.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -If any enabled user accounts are returned with a "PasswordNeverExpires" status of "True", this is a finding. +If the following mitigations do not have a status of "ON", this is a finding: -Member servers and standalone systems: +DEP: +Enable: ON -Enter 'Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | FT Name, PasswordExpires, Disabled, LocalAccount'. +ASLR: +ForceRelocateImages: ON -Exclude application accounts and disabled accounts (e.g., DefaultAccount, Guest). +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -If any enabled user accounts are returned with a "PasswordExpires" status of "False", this is a finding. +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000066-GPOS-00034 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-PK-000010 - Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. - <VulnDiscussion>To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000220 + Windows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000185 - CCI-002470 - Install the DoD Root CA certificates: - -DoD Root CA 2 -DoD Root CA 3 -DoD Root CA 4 -DoD Root CA 5 - -The InstallRoot tool is available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. - - - - The certificates and thumbprints referenced below apply to unclassified systems; see PKE documentation for other networks. - -Open "Windows PowerShell" as an administrator. + V-93353 + SV-103441 + CCI-000366 + Ensure the following mitigations are turned "ON" for plugin-container.exe: -Execute the following command: - -Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter - -If the following certificate "Subject" and "Thumbprint" information is not displayed, this is a finding. +DEP: +Enable: ON -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 -NotAfter: 12/5/2029 +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB -NotAfter: 12/30/2029 +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Subject: CN=DoD Root CA 4, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 -NotAfter: 7/25/2032 +This is applicable to unclassified systems, for other systems this is NA. -Subject: CN=DoD Root CA 5, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B -NotAfter: 6/14/2041 +Run "Windows PowerShell" with elevated privileges (run as administrator). -Alternately, use the Certificates MMC snap-in: +Enter "Get-ProcessMitigation -Name plugin-container.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Run "MMC". +If the following mitigations do not have a status of "ON", this is a finding: -Select "File", "Add/Remove Snap-in". +DEP: +Enable: ON -Select "Certificates" and click "Add". +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Select "Computer account" and click "Next". +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-EP-000230 + Windows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93355 + SV-103443 + CCI-000366 + Ensure the following mitigations are turned "ON" for POWERPNT.EXE: -Select "Local computer: (the computer this console is running on)" and click "Finish". +DEP: +Enable: ON -Click "OK". +ASLR: +ForceRelocateImages: ON -Expand "Certificates" and navigate to "Trusted Root Certification Authorities >> Certificates". +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -For each of the DoD Root CA certificates noted below: +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Right-click on the certificate and select "Open". +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Select the "Details" Tab. +This is applicable to unclassified systems, for other systems this is NA. -Scroll to the bottom and select "Thumbprint". +Run "Windows PowerShell" with elevated privileges (run as administrator). -If the DoD Root CA certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. +Enter "Get-ProcessMitigation -Name POWERPNT.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. +If the following mitigations do not have a status of "ON", this is a finding: -DoD Root CA 2 -Thumbprint: 8C941B34EA1EA6ED9AE2BC54CF687252B4C9B561 -Valid to: Wednesday, December 5, 2029 +DEP: +Enable: ON -DoD Root CA 3 -Thumbprint: D73CA91102A2204A36459ED32213B467D7CE97FB -Valid to: Sunday, December 30, 2029 +ASLR: +ForceRelocateImages: ON -DoD Root CA 4 -Thumbprint: B8269F25DBD937ECAFD4C35A9838571723F2D026 -Valid to: Sunday, July 25, 2032 +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -DoD Root CA 5 -Thumbprint: 4ECB5CC3095670454DA1CBD410FC921F46B8564B -Valid to: Friday, June 14, 2041 +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000066-GPOS-00034 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-PK-000020 - Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. - <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000240 + Windows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000185 - CCI-002470 - Install the DoD Interoperability Root CA cross-certificates on unclassified systems. - -Issued To - Issued By - Thumbprint -DoD Root CA 2 - DoD Interoperability Root CA 1 - 22BBE981F0694D246CC1472ED2B021DC8540A22F + V-93357 + SV-103445 + CCI-000366 + Ensure the following mitigations are turned "ON" for PPTVIEW.EXE: -DoD Root CA 3 - DoD Interoperability Root CA 2 - FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 - -DoD Root CA 3 - DoD Interoperability Root CA 2 - FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 - -Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. +DEP: +Enable: ON -The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. - - - - This is applicable to unclassified systems. It is NA for others. +ASLR: +ForceRelocateImages: ON -Open "PowerShell" as an administrator. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Execute the following command: +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +This is applicable to unclassified systems, for other systems this is NA. -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. +Run "Windows PowerShell" with elevated privileges (run as administrator). -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -NotAfter: 9/6/2019 +Enter "Get-ProcessMitigation -Name PPTVIEW.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 -NotAfter: 2/17/2019 +If the following mitigations do not have a status of "ON", this is a finding: -Alternately, use the Certificates MMC snap-in: +DEP: +Enable: ON -Run "MMC". +ASLR: +ForceRelocateImages: ON -Select "File", "Add/Remove Snap-in". +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Select "Certificates" and click "Add". +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-EP-000250 + Windows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93359 + SV-103447 + CCI-000366 + Ensure the following mitigations are turned "ON" for VISIO.EXE: -Select "Computer account" and click "Next". +DEP: +Enable: ON -Select "Local computer: (the computer this console is running on)" and click "Finish". +ASLR: +ForceRelocateImages: ON -Click "OK". +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -For each certificate with "DoD Root CA..." under "Issued To" and "DoD Interoperability Root CA..." under "Issued By": +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Right-click on the certificate and select "Open". +This is applicable to unclassified systems, for other systems this is NA. -Select the "Details" Tab. +Run "Windows PowerShell" with elevated privileges (run as administrator). -Scroll to the bottom and select "Thumbprint". +Enter "Get-ProcessMitigation -Name VISIO.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -If the certificates below are not listed or the value for the "Thumbprint" field is not as noted, this is a finding. +If the following mitigations do not have a status of "ON", this is a finding: -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. +DEP: +Enable: ON -Issued To: DoD Root CA 2 -Issued By: DoD Interoperability Root CA 1 -Thumbprint: 22BBE981F0694D246CC1472ED2B021DC8540A22F -Valid to: Friday, September 6, 2019 +ASLR: +ForceRelocateImages: ON -Issued To: DoD Root CA 3 -Issued By: DoD Interoperability Root CA 2 -Thumbprint: FFAD03329B9E527A43EEC66A56F9CBB5393E6E13 -Valid to: Sunday, September 23, 2018 +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Issued To: DoD Root CA 3 -Issued By: DoD Interoperability Root CA 2 -Thumbprint: FCE1B1E25374DD94F5935BEB86CA643D8C8D1FF4 -Valid to: Sunday, February 17, 2019 +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000066-GPOS-00034 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-PK-000030 - Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. - <VulnDiscussion>To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store. This requirement only applies to unclassified systems. - -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000260 + Windows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000185 - CCI-002470 - Install the US DoD CCEB Interoperability Root CA cross-certificate on unclassified systems. - -Issued To - Issued By - Thumbprint -DoD Root CA 2 - US DoD CCEB Interoperability Root CA 1 - DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 + V-93361 + SV-103449 + CCI-000366 + Ensure the following mitigations are turned "ON" for VPREVIEW.EXE: -DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 - 929BF3196896994C0A201DF4A5B71F603FEFBF2E +DEP: +Enable: ON -Administrators should run the Federal Bridge Certification Authority (FBCA) Cross-Certificate Removal Tool once as an administrator and once as the current user. +ASLR: +ForceRelocateImages: ON -The FBCA Cross-Certificate Remover Tool and User Guide are available on IASE at http://iase.disa.mil/pki-pke/Pages/tools.aspx. - - - - This is applicable to unclassified systems. It is NA for others. +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Open "PowerShell" as an administrator. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Execute the following command: +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter +This is applicable to unclassified systems, for other systems this is NA. -If the following certificate "Subject", "Issuer", and "Thumbprint" information is not displayed, this is a finding. +Run "Windows PowerShell" with elevated privileges (run as administrator). -If an expired certificate ("NotAfter" date) is not listed in the results, this is not a finding. +Enter "Get-ProcessMitigation -Name VPREVIEW.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Subject: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=US DoD CCEB Interoperability Root CA 1, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 -NotAfter: 3/9/2019 +If the following mitigations do not have a status of "ON", this is a finding: -Subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US -Issuer: CN=US DoD CCEB Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -NotAfter: 9/27/2019 +DEP: +Enable: ON -Alternately, use the Certificates MMC snap-in: +ASLR: +ForceRelocateImages: ON -Run "MMC". +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Select "File", "Add/Remove Snap-in". +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-EP-000270 + Windows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103451 + V-93363 + CCI-000366 + Ensure the following mitigations are turned "ON" for WINWORD.EXE: -Select "Certificates" and click "Add". +DEP: +Enable: ON -Select "Computer account" and click "Next". +ASLR: +ForceRelocateImages: ON -Select "Local computer: (the computer this console is running on)" and click "Finish". +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Click "OK". +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Expand "Certificates" and navigate to "Untrusted Certificates >> Certificates". +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -For each certificate with "US DoD CCEB Interoperability Root CA ..." under "Issued By": +This is applicable to unclassified systems, for other systems this is NA. -Right-click on the certificate and select "Open". +Run "Windows PowerShell" with elevated privileges (run as administrator). -Select the "Details" Tab. +Enter "Get-ProcessMitigation -Name WINWORD.EXE". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Scroll to the bottom and select "Thumbprint". +If the following mitigations do not have a status of "ON", this is a finding: -If the certificate below is not listed or the value for the "Thumbprint" field is not as noted, this is a finding. +DEP: +Enable: ON -If an expired certificate ("Valid to" date) is not listed in the results, this is not a finding. +ASLR: +ForceRelocateImages: ON -Issued To: DoD Root CA 2 -Issued By: US DoD CCEB Interoperability Root CA 1 -Thumbprint: DA36FAF56B2F6FBA1604F5BE46D864C9FA013BA3 -Valid to: Saturday, March 9, 2019 +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Issued To: DoD Root CA 3 -Issuer by: US DoD CCEB Interoperability Root CA 2 -Thumbprint: 929BF3196896994C0A201DF4A5B71F603FEFBF2E -Valid: Friday, September 27, 2019 +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000067-GPOS-00035 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000350 - Windows Server 2019 users must be required to enter a password to access private keys stored on the computer. - <VulnDiscussion>If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. - -The cornerstone of the PKI is the private key used to encrypt or digitally sign information. - -If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. - -Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000280 + Windows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000186 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Force strong key protection for user keys stored on the computer" to "User must enter a password each time they use a key". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103453 + V-93365 + CCI-000366 + Ensure the following mitigations are turned "ON" for wmplayer.exe: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Cryptography\ +DEP: +Enable: ON -Value Name: ForceKeyProtection +Payload: +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Type: REG_DWORD -Value: 0x00000002 (2) - - - - - SRG-OS-000120-GPOS-00061 - <GroupDescription></GroupDescription> - - WN19-SO-000290 - Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. - <VulnDiscussion>Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000803 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -AES128_HMAC_SHA1 -AES256_HMAC_SHA1 -Future encryption types +This is applicable to unclassified systems, for other systems this is NA. -Note: Organizations with domain controllers running earlier versions of Windows where RC4 encryption is enabled, selecting "The other domain supports Kerberos AES Encryption" on domain trusts, may be required to allow client communication across the trust relationship. - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Run "Windows PowerShell" with elevated privileges (run as administrator). -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ +Enter "Get-ProcessMitigation -Name wmplayer.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) -Value Name: SupportedEncryptionTypes +If the following mitigations do not have a status of "ON", this is a finding: -Value Type: REG_DWORD -Value: 0x7ffffff8 (2147483640) +DEP: +Enable: ON + +Payload: +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON + +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000393-GPOS-00173 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000480 - Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic. - <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. - -Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-EP-000290 + Windows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe. + <VulnDiscussion>Exploit protection provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application protections, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002890 - CCI-003123 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow unencrypted traffic" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103455 + V-93367 + CCI-000366 + Ensure the following mitigations are turned "ON" for wordpad.exe: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ +DEP: +Enable: ON -Value Name: AllowUnencryptedTraffic +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000393-GPOS-00173 - <GroupDescription></GroupDescription> - - WN19-CC-000510 - Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic. - <VulnDiscussion>Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. +Application mitigations defined in the STIG are configured by a DoD EP XML file included with the STIG package in the "Supporting Files" folder. -Satisfies: SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-002890 - CCI-003123 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow unencrypted traffic" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. + + + + If the referenced application is not installed on the system, this is NA. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ +This is applicable to unclassified systems, for other systems this is NA. + +Run "Windows PowerShell" with elevated privileges (run as administrator). + +Enter "Get-ProcessMitigation -Name wordpad.exe". +(Get-ProcessMitigation can be run without the -Name parameter to get a list of all application mitigations configured.) + +If the following mitigations do not have a status of "ON", this is a finding: + +DEP: +Enable: ON -Value Name: AllowUnencryptedTraffic +Payload: +EnableExportAddressFilter: ON +EnableExportAddressFilterPlus: ON +EnableImportAddressFilter: ON +EnableRopStackPivot: ON +EnableRopCallerCheck: ON +EnableRopSimExec: ON -Type: REG_DWORD -Value: 0x00000000 (0) +The PowerShell command produces a list of mitigations; only those with a required status of "ON" are listed here. - - SRG-OS-000125-GPOS-00065 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000470 - Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication. - <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-MS-000050 + Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers. + <VulnDiscussion>The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons, such as the user's machine being disconnected from the network or domain controllers being unavailable. Even though the credential cache is well protected, if a system is attacked, an unauthorized individual may isolate the password to a domain user account using a password-cracking program and gain access to the domain.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000877 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Allow Basic authentication" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93275 + SV-103363 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Number of previous logons to cache (in case Domain Controller is not available)" to "4" logons or less. + + + + This applies to member servers. For domain controllers and standalone systems, this is NA. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ +If the following registry value does not exist or is not configured as specified, this is a finding: -Value Name: AllowBasic +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ -Type: REG_DWORD -Value: 0x00000000 (0) +Value Name: CachedLogonsCount + +Value Type: REG_SZ +Value: 4 (or less) - - SRG-OS-000125-GPOS-00065 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000490 - Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication. - <VulnDiscussion>Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-MS-000140 + Windows Server 2019 must be running Credential Guard on domain-joined member servers. + <VulnDiscussion>Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000877 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93277 + SV-103365 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\ +A Microsoft article on Credential Guard system requirement can be found at the following link: -Value Name: AllowDigest +https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements + +Severity Override Guidance: The AO can allow the severity override if they have reviewed the overall protection provided to the affected servers that are not capable of complying with the Credential Guard requirement. Items that should be reviewed/considered for compliance or mitigation for non-Credential Guard compliance are: + +The use of Microsoft Local Administrator Password Solution (LAPS) or similar products to control different local administrative passwords for all affected affected servers. This is to include a strict password change requirement (60 days or less). +…. +Strict separation of roles and duties. Server administrator credentials cannot be used on Windows 10 desktop to administer it. Documentation of all exceptions should be supplied. +…. +Use of a Privileged Access Workstation (PAW) and adherence to the Clean Source principle for administering affected affected servers. +…. +Boundary Protection that is currently in place to protect from vulnerabilities in the network/servers. +…. +Windows Defender rule block credential stealing from LSASS.exe is applied. This rule can only be applied if Windows Defender is in use. +…. +The overall number of vulnerabilities that are unmitigated on the network/servers. + + + + + For domain controllers and standalone systems, this is NA. -Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000125-GPOS-00065 - <GroupDescription></GroupDescription> - - WN19-CC-000500 - Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication. - <VulnDiscussion>Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000877 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Service >> "Allow Basic authentication" to "Disabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements, including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\ +Open "PowerShell" with elevated privileges (run as administrator). -Value Name: AllowBasic +Enter the following: -Type: REG_DWORD -Value: 0x00000000 (0) - - - - - SRG-OS-000478-GPOS-00223 - <GroupDescription></GroupDescription> - - WN19-SO-000360 - Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. - <VulnDiscussion>This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-002450 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: +"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ +If "SecurityServicesRunning" does not include a value of "1" (e.g., "{1, 2}"), this is a finding. -Value Name: Enabled +Alternately: -Value Type: REG_DWORD -Value: 0x00000001 (1) - -Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS; otherwise. the browser will not be able to connect to a secure site. - - - - - SRG-OS-000185-GPOS-00079 - <GroupDescription></GroupDescription> - - WN19-00-000250 - Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. - <VulnDiscussion>This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. +Run "System Information". -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). +Under "System Summary", verify the following: -Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-001199 - CCI-002475 - CCI-002476 - Configure systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data to employ encryption to protect the confidentiality and integrity of all information at rest. - - - - Verify systems that require additional protections due to factors such as inadequate physical protection or sensitivity of the data employ encryption to protect the confidentiality and integrity of all information at rest. +If "Device Guard Security Services Running" does not list "Credential Guard", this is a finding. -If they do not, this is a finding. +The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function. + +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ + +Value Name: LsaCfgFlags +Value Type: REG_DWORD +Value: 0x00000001 (1) (Enabled with UEFI lock) + +A Microsoft article on Credential Guard system requirement can be found at the following link: + +https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000240 - Windows Server 2019 administrator accounts must not be enumerated during elevation. - <VulnDiscussion>Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the system to always require users to type in a username and password to elevate a running application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000020 + Windows Server 2019 must prevent local accounts with blank passwords from being used from the network. + <VulnDiscussion>An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accounts with blank passwords from existing on a system. However, if a local account with a blank password does exist, enabling this setting will prevent network access, limiting the account to local console logon only.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Credential User Interface >> "Enumerate administrator accounts on elevation" to "Disabled". - - - + SV-103367 + V-93279 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Limit local account use of blank passwords to console logon only" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: EnumerateAdministrators +Value Name: LimitBlankPasswordUse -Type: REG_DWORD -Value: 0x00000000 (0) +Value Type: REG_DWORD +Value: 0x00000001 (1) - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-MS-000020 - Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers. - <VulnDiscussion>A compromised local administrator account can provide means for an attacker to move laterally between domain systems. - -With User Account Control enabled, filtering the privileged token for local administrator accounts will prevent the elevated privileges of these accounts from being used over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000100 + Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less. + <VulnDiscussion>Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may have. This must be set to no more than 30 days, ensuring the machine changes its password monthly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Administrative Templates >> MS Security Guide >> "Apply UAC restrictions to local accounts on network logons" to "Enabled". + V-93285 + SV-103373 + CCI-000366 + This is the default configuration for this setting (30 days). -This policy setting requires the installation of the SecGuide custom templates included with the STIG package. "SecGuide.admx" and " SecGuide.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - - This applies to member servers. For domain controllers and standalone systems, this is NA. +Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Maximum machine account password age" to "30" or less (excluding "0", which is unacceptable). + + + + This is the default configuration for this setting (30 days). If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - -Value Name: LocalAccountTokenFilterPolicy +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ -Type: REG_DWORD -Value: 0x00000000 (0) +Value Name: MaximumPasswordAge -This setting may cause issues with some network scanning tools if local administrative accounts are used remotely. Scans should use domain accounts where possible. If a local administrative account must be used, temporarily enabling the privileged token by configuring the registry value to "1" may be required. +Value Type: REG_DWORD +Value: 0x0000001e (30) (or less, but not 0) - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000390 - Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. - <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting prevents User Interface Accessibility programs from disabling the secure desktop for elevation prompts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000150 + Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation. + <VulnDiscussion>Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the system is inaccessible when unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" to "Disabled". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). - -If the following registry value does not exist or is not configured as specified, this is a finding: + V-93287 + SV-103375 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ + +Value Name: scremoveoption -Value Name: EnableUIADesktopToggle +Value Type: REG_SZ +Value: 1 (Lock Workstation) or 2 (Force Logoff) -Value Type: REG_DWORD -Value: 0x00000000 (0) +If configuring this on servers causes issues, such as terminating users' remote sessions, and the organization has a policy in place that any other sessions on the servers, such as administrative console logons, are manually locked or logged off when unattended or not in use, this would be acceptable. This must be documented with the ISSO. - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000400 - Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. - <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures the elevation requirements for logged-on administrators to complete a task that requires raised privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000210 + Windows Server 2019 must not allow anonymous SID/Name translation. + <VulnDiscussion>Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such translations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop". - -The more secure option for this setting, "Prompt for credentials on the secure desktop", would also be acceptable. - - - - UAC requirements are NA for Server Core installations (this is default installation option for Windows Server 2019 versus Server with Desktop Experience). - -If the following registry value does not exist or is not configured as specified, this is a finding: + V-93289 + SV-103377 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Allow anonymous SID/Name translation" to "Disabled". + + + + Verify the effective setting in Local Group Policy Editor. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Run "gpedit.msc". -Value Name: ConsentPromptBehaviorAdmin +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. -Value Type: REG_DWORD -Value: 0x00000002 (2) (Prompt for consent on the secure desktop) -0x00000001 (1) (Prompt for credentials on the secure desktop) +If the value for "Network access: Allow anonymous SID/Name translation" is not set to "Disabled", this is a finding. - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000420 - Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation. - <VulnDiscussion>User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Windows to respond to application installation requests by prompting for credentials.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000220 + Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. + <VulnDiscussion>Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Detect application installations and prompt for elevation" to "Enabled". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). - -If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103379 + V-93291 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: EnableInstallerDetection +Value Name: RestrictAnonymousSAM Value Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000430 - Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. - <VulnDiscussion>UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Windows to only allow applications installed in a secure location on the file system, such as the Program Files or the Windows\System32 folders, to run with elevated privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000240 + Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group. + <VulnDiscussion>Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have these permissions or rights.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). - -If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103381 + V-93293 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let Everyone permissions apply to anonymous users" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: EnableSecureUIAPaths +Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD -Value: 0x00000001 (1) +Value: 0x00000000 (0) - - SRG-OS-000134-GPOS-00068 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000450 - Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations. - <VulnDiscussion>UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures non-UAC-compliant applications to run in virtualized file and registry entries in per-user locations, allowing them to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000260 + Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. + <VulnDiscussion>Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymously versus using the computer identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001084 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled". - - - - UAC requirements are NA for Server Core installations (this is the default installation option for Windows Server 2019 versus Server with Desktop Experience). - -If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103383 + V-93295 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow Local System to use computer identity for NTLM" to "Enabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\ -Value Name: EnableVirtualization +Value Name: UseMachineId -Value Type: REG_DWORD +Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000138-GPOS-00069 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000230 - Windows Server 2019 non-system-created file shares must limit access to groups that require it. - <VulnDiscussion>Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to give the minimum access to accounts that require it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000270 + Windows Server 2019 must prevent NTLM from falling back to a Null session. + <VulnDiscussion>NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001090 - If a non-system-created share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. - -Remove any unnecessary non-system-created shares. - - - - If only system-created shares such as "ADMIN$", "C$", and "IPC$" exist on the system, this is NA. (System-created shares will display a message that it has been shared for administrative purposes when "Properties" is selected.) - -Run "Computer Management". - -Navigate to System Tools >> Shared Folders >> Shares. - -Right-click any non-system-created shares. - -Select "Properties". - -Select the "Share Permissions" tab. + V-93297 + SV-103385 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow LocalSystem NULL session fallback" to "Disabled". + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If the file shares have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\MSV1_0\ -Select the "Security" tab. +Value Name: allownullsessionfallback -If the permissions have not been configured to restrict permissions to the specific groups or accounts that require access, this is a finding. +Type: REG_DWORD +Value: 0x00000000 (0) - - SRG-OS-000138-GPOS-00069 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000350 - Windows Server 2019 Remote Desktop Services must prevent drive redirection. - <VulnDiscussion>Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000280 + Windows Server 2019 must prevent PKU2U authentication using online identities. + <VulnDiscussion>PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001090 - Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Device and Resource Redirection >> "Do not allow drive redirection" to "Enabled". - - - + V-93299 + SV-103387 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ +Registry Path: \SYSTEM\CurrentControlSet\Control\LSA\pku2u\ -Value Name: fDisableCdm +Value Name: AllowOnlineID Type: REG_DWORD -Value: 0x00000001 (1) +Value: 0x00000000 (0) - - SRG-OS-000138-GPOS-00069 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000230 - Windows Server 2019 must not allow anonymous enumeration of shares. - <VulnDiscussion>Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential points to attack the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000310 + Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. + <VulnDiscussion>The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, is retained in later Windows versions for compatibility with clients and servers that are running earlier versions of Windows or applications that still use it. It is also used to authenticate logons to standalone computers that are running later versions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001090 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Do not allow anonymous enumeration of SAM accounts and shares" to "Enabled". - - - + V-93301 + SV-103389 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LAN Manager authentication level" to "Send NTLMv2 response only. Refuse LM & NTLM". + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE +Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\ -Value Name: RestrictAnonymous +Value Name: LmCompatibilityLevel Value Type: REG_DWORD -Value: 0x00000001 (1) +Value: 0x00000005 (5) - - SRG-OS-000138-GPOS-00069 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000250 - Windows Server 2019 must restrict anonymous access to Named Pipes and Shares. - <VulnDiscussion>Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defined in "Network access: Named Pipes that can be accessed anonymously" and "Network access: Shares that can be accessed anonymously", both of which must be blank under other requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000320 + Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing. + <VulnDiscussion>This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the environment and type of LDAP server in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001090 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Restrict anonymous access to Named Pipes and Shares" to "Enabled". - - - + V-93303 + SV-103391 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum. + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ +Registry Path: \SYSTEM\CurrentControlSet\Services\LDAP\ -Value Name: RestrictNullSessAccess +Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000420-GPOS-00186 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-CC-000060 - Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers. - <VulnDiscussion>Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS name release request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000330 + Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. + <VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002385 - Configure the policy value for Computer Configuration >> Administrative Templates >> MSS (Legacy) >> "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" to "Enabled". - -This policy setting requires the installation of the MSS-Legacy custom templates included with the STIG package. "MSS-Legacy.admx" and "MSS-Legacy.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. - - - + SV-103393 + V-93305 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). + + + If the following registry value does not exist or is not configured as specified, this is a finding: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -Value Name: NoNameReleaseOnDemand +Value Name: NTLMMinClientSec -Value Type: REG_DWORD -Value: 0x00000001 (1) +Value Type: REG_DWORD +Value: 0x20080000 (537395200) - - SRG-OS-000425-GPOS-00189 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-00-000260 - Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. - <VulnDiscussion>Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. - -Ensuring the confidentiality of transmitted information requires the operating system to take measures in preparing information for transmission. This can be accomplished via access control and encryption. - -Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to support transmission protection mechanisms such as TLS, encrypted VPNs, or IPsec. - -Satisfies: SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000340 + Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. + <VulnDiscussion>Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enabled to ensure the maximum security level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002420 - CCI-002422 - Configure protection methods such as TLS, encrypted VPNs, or IPsec when the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. - - - - If the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, verify protection methods such as TLS, encrypted VPNs, or IPsec have been implemented. + SV-103395 + V-93307 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected). + + + + If the following registry value does not exist or is not configured as specified, this is a finding: -If protection methods have not been implemented, this is a finding. +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ + +Value Name: NTLMMinServerSec + +Value Type: REG_DWORD +Value: 0x20080000 (537395200) - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000060 - Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. - <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted and signed. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-SO-000370 + Windows Server 2019 default permissions of global system objects must be strengthened. + <VulnDiscussion>Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created with a default Discretionary Access Control List (DACL) that specifies who can access the objects with what permissions. When this policy is enabled, the default DACL is stronger, allowing non-administrative users to read shared objects but not to modify shared objects they did not create.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt or sign secure channel data (always)" to "Enabled". - - - + V-93309 + SV-103397 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)" to "Enabled". + + + If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\ -Value Name: RequireSignOrSeal +Value Name: ProtectionMode Value Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000070 - Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. - <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic will be encrypted. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-UC-000010 + Windows Server 2019 must preserve zone information when saving attachments. + <VulnDiscussion>Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file attachments allows Windows to determine risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally encrypt secure channel data (when possible)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103399 + V-93311 + CCI-000366 + The default behavior is for Windows to mark file attachments with their zone information. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +If this needs to be corrected, configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> Attachment Manager >> "Do not preserve zone information in file attachments" to "Not Configured" or "Disabled". + + + + The default behavior is for Windows to mark file attachments with their zone information. -Value Name: SealSecureChannel +If the registry Value Name below does not exist, this is not a finding. + +If it exists and is configured with a value of "2", this is not a finding. + +If it exists and is configured with a value of "1", this is a finding. + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ + +Value Name: SaveZoneInformation Value Type: REG_DWORD -Value: 0x00000001 (1) +Value: 0x00000002 (2) (or if the Value Name does not exist) - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000480-GPOS-00229 <GroupDescription></GroupDescription> - - WN19-SO-000080 - Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. - <VulnDiscussion>Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, outgoing secure channel traffic will be signed. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-CC-000450 + Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart. + <VulnDiscussion>Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling this will prevent the caching of credentials for this purpose and also ensure the user is aware of the restart.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Digitally sign secure channel data (when possible)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93269 + SV-103357 + CCI-000366 + Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Logon Options >> "Sign-in last interactive user automatically after a system-initiated restart" to "Disabled". + + + + Verify the registry value below. If it does not exist or is not configured as specified, this is a finding. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +Registry Hive: HKEY_LOCAL_MACHINE +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ -Value Name: SignSecureChannel +Value Name: DisableAutomaticRestartSignOn Value Type: REG_DWORD Value: 0x00000001 (1) - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - - WN19-SO-000110 - Windows Server 2019 must be configured to require a strong session key. - <VulnDiscussion>A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hijacking or eavesdropping, if strong session keys are not used to establish the connection. Requiring strong session keys enforces 128-bit encryption between systems. + + WN19-00-000280 + Windows Server 2019 must have a host-based firewall installed and enabled. + <VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103657 + V-93571 + CCI-002080 + CCI-000366 + Install and enable a host-based firewall on the system. + + + + Determine if a host-based firewall is installed and enabled on the system. -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +If a host-based firewall is not installed and enabled on the system, this is a finding. + +The configuration requirements will be determined by the applicable firewall STIG. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + WN19-CC-000451 + The Windows Explorer Preview pane must be disabled for Windows Server 2019. + <VulnDiscussion>A known vulnerability in Windows could allow the execution of malicious code by either opening a compromised document or viewing it in the Windows Preview pane. + +Organizations must disable the Windows Preview pane and Windows Detail pane.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Domain member: Require strong (Windows 2000 or Later) session key" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-102625 + SV-111575 + CCI-000366 + Ensure the following settings are configured for Windows Server 2019 locally or applied through group policy. + +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn off Preview Pane" to "Enabled". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ +Configure the policy value for User Configuration >> Administrative Templates >> Windows Components >> File Explorer >> Explorer Frame Pane "Turn on or off details pane" to "Enabled" and "Configure details pane" to "Always hide". + + + + If the following registry values do not exist or are not configured as specified, this is a finding: -Value Name: RequireStrongKey +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoPreviewPane Value Type: REG_DWORD -Value: 0x00000001 (1) - -This setting may prevent a system from being joined to a domain if not configured consistently between systems. + +Value: 1 + +Registry Hive: HKEY_CURRENT_USER +Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + +Value Name: NoReadingPane + +Value Type: REG_DWORD + +Value: 1 - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - WN19-SO-000160 - Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. - <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB client will only communicate with an SMB server that performs SMB packet signing. - -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AC-000020 + Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (always)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + SV-103229 + V-93141 + CCI-000044 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or fewer invalid logon attempts (excluding "0", which is unacceptable). + + + + Verify the effective setting in Local Group Policy Editor. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ +Run "gpedit.msc". -Value Name: RequireSecuritySignature +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. -Value Type: REG_DWORD -Value: 0x00000001 (1) +If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. + + - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000021-GPOS-00005 <GroupDescription></GroupDescription> - - WN19-SO-000170 - Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. - <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing. + + WN19-AC-000030 + Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. + <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system. -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network client: Digitally sign communications (if server agrees)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93143 + SV-103231 + CCI-000044 + CCI-002238 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes. + + + + Verify the effective setting in Local Group Policy Editor. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ +Run "gpedit.msc". -Value Name: EnableSecuritySignature +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. -Value Type: REG_DWORD -Value: 0x00000001 (1) +If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. + + - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000057-GPOS-00027 <GroupDescription></GroupDescription> - - WN19-SO-000190 - Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. - <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing. + + WN19-UR-000170 + Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group. + <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering. + +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000337-GPOS-00129</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (always)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93197 + SV-103285 + CCI-000162 + CCI-000163 + CCI-000164 + CCI-000171 + CCI-001914 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ +- Administrators + + + + Verify the effective setting in Local Group Policy Editor. -Value Name: RequireSecuritySignature +Run "gpedit.msc". -Value Type: REG_DWORD -Value: 0x00000001 (1) +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. + +- Administrators + + - - SRG-OS-000423-GPOS-00187 + + SRG-OS-000069-GPOS-00037 <GroupDescription></GroupDescription> - - WN19-SO-000200 - Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. - <VulnDiscussion>The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client. + + WN19-AC-000080 + Windows Server 2019 must have the built-in Windows password complexity policy enabled. + <VulnDiscussion>The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names. -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002418 - CCI-002421 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled". - - - - If the following registry value does not exist or is not configured as specified, this is a finding: + V-93459 + SV-103545 + CCI-000192 + CCI-000193 + CCI-000194 + CCI-001619 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled". + + + + Verify the effective setting in Local Group Policy Editor. -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\ +Run "gpedit.msc". -Value Name: EnableSecuritySignature +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. -Value Type: REG_DWORD -Value: 0x00000001 (1) +If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. + + - - SRG-OS-000433-GPOS-00192 + + SRG-OS-000073-GPOS-00041 <GroupDescription></GroupDescription> - - WN19-CC-000310 - Windows Server 2019 Explorer Data Execution Prevention must be enabled. - <VulnDiscussion>Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention from being turned off for File Explorer.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AC-000090 + Windows Server 2019 reversible password encryption must be disabled. + <VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002824 - The default behavior is for data execution prevention to be turned on for File Explorer. - -If this needs to be corrected, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File Explorer >> "Turn off Data Execution Prevention for Explorer" to "Not Configured" or "Disabled". - - - - The default behavior is for Data Execution Prevention to be turned on for File Explorer. - -If the registry value name below does not exist, this is not a finding. - -If it exists and is configured with a value of "0", this is not a finding. + V-93465 + SV-103551 + CCI-000196 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". + + + + Verify the effective setting in Local Group Policy Editor. -If it exists and is configured with a value of "1", this is a finding. +Run "gpedit.msc". -Registry Hive: HKEY_LOCAL_MACHINE -Registry Path: \SOFTWARE\Policies\Microsoft\Windows\Explorer\ +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. -Value Name: NoDataExecutionPrevention +If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. -Value Type: REG_DWORD -Value: 0x00000000 (0) (or if the Value Name does not exist) + - - SRG-OS-000433-GPOS-00193 + + SRG-OS-000075-GPOS-00043 <GroupDescription></GroupDescription> - - WN19-EP-000020 - Windows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on. - <VulnDiscussion>Exploit protection enables mitigations against potential threats at the system and application level. Several mitigations, including "Randomize memory allocations (Bottom-Up ASLR)", are enabled by default at the system level. Bottom-Up ASLR (address space layout randomization) randomizes locations for virtual memory allocations, including those for system structures. If this is turned off, Windows may be subject to various exploits.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AC-000060 + Windows Server 2019 minimum password age must be configured to at least one day. + <VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002824 - Ensure Exploit Protection system-level mitigation, "Randomize memory allocations (Bottom-Up ASLR)" is turned on. The default configuration in Exploit Protection is "On by default" which meets this requirement. - -Open "Windows Defender Security Center". - -Select "App & browser control". - -Select "Exploit protection settings". - -Under "System settings", configure "Randomize memory allocations (Bottom-Up ASLR)" to "On by default" or "Use default (<On>)". - -The STIG package includes a DoD EP XML file in the "Supporting Files" folder for configuring application mitigations defined in the STIG. This can also be modified to explicitly enforce the system level requirements. Adding the following to the XML file will explicitly turn Bottom-Up ASLR on (other system level EP requirements can be combined under <SystemConfig>): - -<SystemConfig> - <ASLR BottomUp="true" HighEntropy="true"></ASLR> -</SystemConfig> - -The XML file is applied with the group policy setting Computer Configuration >> Administrative Settings >> Windows Components >> Windows Defender Exploit Guard >> Exploit Protection >> "Use a common set of exploit protection settings" configured to "Enabled" with file name and location defined under "Options:". It is recommended the file be in a read-only network location. - - - - This is applicable to unclassified systems, for other systems this is NA. - -The default configuration in Exploit Protection is "On by default" which meets this requirement. The PowerShell query results for this show as "NOTSET". - -Run "Windows PowerShell" with elevated privileges (run as administrator). + V-93471 + SV-103557 + CCI-000198 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password age" to at least "1" day. + + + + Verify the effective setting in Local Group Policy Editor. -Enter "Get-ProcessMitigation -System". +Run "gpedit.msc". -If the status of "ASLR: BottomUp" is "OFF", this is a finding. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. -Values that would not be a finding include: +If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately"), this is a finding. -ON -NOTSET (Default configuration) + - - SRG-OS-000191-GPOS-00080 + + SRG-OS-000076-GPOS-00044 <GroupDescription></GroupDescription> - - WN19-00-000290 - Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). - <VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. The operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AC-000050 + Windows Server 2019 maximum password age must be configured to 60 days or less. + <VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-001233 - Install a DoD approved HBSS software and ensure it is operating continuously. - - - - Verify DoD approved HBSS software is installed, configured, and properly operating. Ask the operator to document the HBSS software installation and configuration. + SV-103563 + V-93477 + CCI-000199 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable). + + + + Verify the effective setting in Local Group Policy Editor. -If the operator is not able to provide a documented configuration for an installed HBSS or if the HBSS software is not properly configured, maintained, or used, this is a finding. +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for the "Maximum password age" is greater than "60" days, this is a finding. + +If the value is set to "0" (never expires), this is a finding. + + - - SRG-OS-000480-GPOS-00231 + + SRG-OS-000077-GPOS-00045 <GroupDescription></GroupDescription> - - WN19-00-000280 - Windows Server 2019 must have a host-based firewall installed and enabled. - <VulnDiscussion>A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AC-000040 + Windows Server 2019 password history must be configured to 24 passwords remembered. + <VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - CCI-002080 - Install and enable a host-based firewall on the system. - - - - Determine if a host-based firewall is installed and enabled on the system. + V-93479 + SV-103565 + CCI-000200 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered. + + + + Verify the effective setting in Local Group Policy Editor. -If a host-based firewall is not installed and enabled on the system, this is a finding. +Run "gpedit.msc". -The configuration requirements will be determined by the applicable firewall STIG. +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. + +If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. + + - - SRG-OS-000297-GPOS-00115 + + SRG-OS-000078-GPOS-00046 <GroupDescription></GroupDescription> - - WN19-MS-000120 - Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. - <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. - -In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. - -Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. - -The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + WN19-AC-000070 + Windows Server 2019 minimum password length must be configured to 14 characters. + <VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002314 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: - -Domain Systems Only: -- Enterprise Admins group -- Domain Admins group -- Local account (see Note below) - -All Systems: -- Guests group - -Note: "Local account" is referring to the Windows built-in security group. - - - - This applies to member servers and standalone systems. A separate version applies to domain controllers. - -Verify the effective setting in Local Group Policy Editor. + V-93463 + SV-103549 + CCI-000205 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters. + + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: - -Domain Systems Only: -- Enterprise Admins group -- Domain Admins group -- Local account (see Note below) +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. -All Systems: -- Guests group +If the value for the "Minimum password length," is less than "14" characters, this is a finding. - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN19-MS-000070 Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access this computer from the network" user right may access resources on the system, and this right must be limited to those requiring it.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: + SV-103095 + V-93007 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to include only the following accounts or groups: - Administrators - Authenticated Users - - - + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. @@ -11992,10 +12778,10 @@ If any accounts or groups other than the following are granted the "Access this - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN19-MS-000080 Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. @@ -12008,14 +12794,16 @@ Local accounts on domain-joined systems must also be assigned this right to decr The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: + SV-103097 + V-93009 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny access to this computer from the network" to include the following: Domain Systems Only: - Enterprise Admins group @@ -12026,9 +12814,9 @@ All Systems: - Guests group Note: These are built-in security groups. "Local account" is more restrictive but may cause issues on servers such as systems that provide failover clustering. - - - + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. @@ -12051,10 +12839,10 @@ All Systems: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN19-MS-000090 Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. @@ -12065,14 +12853,16 @@ In an Active Directory Domain, denying logons to the Enterprise Admins and Domai The Guests group must be assigned to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: + SV-103099 + V-93011 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a batch job" to include the following: Domain Systems Only: - Enterprise Admins Group @@ -12080,9 +12870,9 @@ Domain Systems Only: All Systems: - Guests Group - - - + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. @@ -12104,10 +12894,10 @@ All Systems: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN19-MS-000100 Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. @@ -12118,21 +12908,23 @@ In an Active Directory Domain, denying logons to the Enterprise Admins and Domai Incorrect configurations could prevent services from starting and result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: + SV-103101 + V-93013 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on as a service" to include the following: Domain systems: - Enterprise Admins Group - Domain Admins Group - - - + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. @@ -12152,10 +12944,10 @@ If any accounts or groups are defined for the "Deny log on as a service" user ri - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN19-MS-000110 Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. @@ -12166,14 +12958,16 @@ In an Active Directory Domain, denying logons to the Enterprise Admins and Domai The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: + SV-103103 + V-93015 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on locally" to include the following: Domain Systems Only: - Enterprise Admins Group @@ -12181,9 +12975,9 @@ Domain Systems Only: All Systems: - Guests Group - - - + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. @@ -12205,64 +12999,162 @@ All Systems: - + SRG-OS-000080-GPOS-00048 <GroupDescription></GroupDescription> - + WN19-UR-000030 Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. -Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> +Accounts with the "Allow log on locally" user right can log on interactively to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + V-93017 + SV-103105 + CCI-000213 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: + +- Administrators + + + + Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. + +If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: + +- Administrators + + + + + + + SRG-OS-000121-GPOS-00062 + <GroupDescription></GroupDescription> + + WN19-SO-000010 + Windows Server 2019 must have the built-in guest account disabled. + <VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target MS Windows Server 2019 + DISA + DPMS Target + MS Windows Server 2019 + 2907 + + SV-103583 + V-93497 + CCI-000804 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled". + + + + Verify the effective setting in Local Group Policy Editor. + +Run "gpedit.msc". + +Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. + +If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. + + + + + + + SRG-OS-000297-GPOS-00115 + <GroupDescription></GroupDescription> + + WN19-MS-000120 + Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. + <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. + +The "Deny log on through Remote Desktop Services" user right defines the accounts that are prevented from logging on using Remote Desktop Services. + +In an Active Directory Domain, denying logons to the Enterprise Admins and Domain Admins groups on lower-trust systems helps mitigate the risk of privilege escalation from credential theft attacks, which could lead to the compromise of an entire domain. + +Local accounts on domain-joined systems must also be assigned this right to decrease the risk of lateral movement resulting from credential theft attacks. + +The Guests group must be assigned this right to prevent unauthenticated access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000213 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on locally" to include only the following accounts or groups: + V-92965 + SV-103053 + CCI-002314 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Deny log on through Remote Desktop Services" to include the following: -- Administrators - - - - Verify the effective setting in Local Group Policy Editor. +Domain Systems Only: +- Enterprise Admins group +- Domain Admins group +- Local account (see Note below) + +All Systems: +- Guests group + +Note: "Local account" is referring to the Windows built-in security group. + + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. + +Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. -If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: +If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" user right, this is a finding: -- Administrators +Domain Systems Only: +- Enterprise Admins group +- Domain Admins group +- Local account (see Note below) + +All Systems: +- Guests group - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-MS-000130 Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Enable computer and user accounts to be trusted for delegation" user right allows the "Trusted for Delegation" setting to be changed. This could allow unauthorized users to impersonate other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank). - - - + V-93047 + SV-103135 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank). + + + This applies to member servers and standalone systems. A separate version applies to domain controllers. Verify the effective setting in Local Group Policy Editor. @@ -12277,27 +13169,29 @@ If any accounts or groups are granted the "Enable computer and user accounts to - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000010 Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Access Credential Manager as a trusted caller" user right may be able to retrieve the credentials of other accounts from Credential Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank). - - - + SV-103137 + V-93049 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12310,27 +13204,29 @@ If any accounts or groups are granted the "Access Credential Manager as a truste - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000020 Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Act as part of the operating system" user right can assume the identity of any user and gain access to resources that the user is authorized to access. Any accounts with this right can take complete control of a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank). - - - + V-93051 + SV-103139 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Act as part of the operating system" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12343,29 +13239,31 @@ If any accounts or groups (to include administrators), are granted the "Act as p - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000040 Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Back up files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: + V-93053 + SV-103141 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Back up files and directories" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12380,29 +13278,31 @@ If any accounts or groups other than the following are granted the "Back up file - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000050 Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create a pagefile" user right can change the size of a pagefile, which could affect system performance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: + V-93055 + SV-103143 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a pagefile" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12417,27 +13317,29 @@ If any accounts or groups other than the following are granted the "Create a pag - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000060 Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Create a token object" user right allows a process to create an access token. This could be used to provide elevated rights and compromise a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank). - - - + V-93057 + SV-103145 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create a token object" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12450,32 +13352,34 @@ If any accounts or groups are granted the "Create a token object" user right, th - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000070 Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create global objects" user right can create objects that are available to all sessions, which could affect processes in other users' sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: + SV-103147 + V-93059 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create global objects" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12493,27 +13397,29 @@ If any accounts or groups other than the following are granted the "Create globa - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000080 Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create permanent shared objects" user right could expose sensitive data by creating shared objects.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank). - - - + SV-103149 + V-93061 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create permanent shared objects" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12526,31 +13432,33 @@ If any accounts or groups are granted the "Create permanent shared objects" user - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000090 Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Create symbolic links" user right can create pointers to other objects, which could expose the system to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to include only the following accounts or groups: + SV-103151 + V-93063 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Create symbolic links" to include only the following accounts or groups: - Administrators Systems that have the Hyper-V role will also have "Virtual Machines" given this user right. If this needs to be added manually, enter it as "NT Virtual Machine\Virtual Machines". - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12565,29 +13473,31 @@ If any accounts or groups other than the following are granted the "Create symbo - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000100 Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Debug programs" user right can attach a debugger to any process or to the kernel, providing complete access to sensitive and critical operating system components. This right is given to Administrators in the default configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: + SV-103153 + V-93065 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Debug programs" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12602,29 +13512,31 @@ If any accounts or groups other than the following are granted the "Debug progra - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000110 Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Force shutdown from a remote system" user right can remotely shut down a system, which could result in a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: + V-93067 + SV-103155 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Force shutdown from a remote system" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12639,30 +13551,32 @@ If any accounts or groups other than the following are granted the "Force shutdo - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000120 Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Generate security audits" user right specifies users and processes that can generate Security Log audit records, which must only be the system service accounts defined.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to include only the following accounts or groups: + V-93069 + SV-103157 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Generate security audits" to include only the following accounts or groups: - Local Service - Network Service - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12678,32 +13592,34 @@ If any accounts or groups other than the following are granted the "Generate sec - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000130 Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Impersonate a client after authentication" user right allows a program to impersonate another user or account to run on their behalf. An attacker could use this to elevate privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: + V-93071 + SV-103159 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Impersonate a client after authentication" to include only the following accounts or groups: - Administrators - Service - Local Service - Network Service - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12721,29 +13637,31 @@ If any accounts or groups other than the following are granted the "Impersonate - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000140 Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Increase scheduling priority" user right can change a scheduling priority, causing performance issues or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to include only the following accounts or groups: + V-93073 + SV-103161 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Increase scheduling priority" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12758,29 +13676,31 @@ If any accounts or groups other than the following are granted the "Increase sch - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000150 Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Load and unload device drivers" user right allows a user to load device drivers dynamically on a system. This could be used by an attacker to install malicious code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: + V-93075 + SV-103163 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Load and unload device drivers" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12795,27 +13715,29 @@ If any accounts or groups other than the following are granted the "Load and unl - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000160 Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. The "Lock pages in memory" user right allows physical memory to be assigned to processes, which could cause performance issues or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank). - - - + V-93077 + SV-103165 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Lock pages in memory" to be defined but containing no entries (blank). + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12828,29 +13750,31 @@ If any accounts or groups are granted the "Lock pages in memory" user right, thi - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000180 Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Modify firmware environment values" user right can change hardware configuration environment variables. This could result in hardware failures or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to include only the following accounts or groups: + SV-103167 + V-93079 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Modify firmware environment values" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12865,29 +13789,31 @@ If any accounts or groups other than the following are granted the "Modify firmw - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000190 Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Perform volume maintenance tasks" user right can manage volume and disk configurations. This could be used to delete volumes, resulting in data loss or a denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups: + SV-103169 + V-93081 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Perform volume maintenance tasks" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12902,29 +13828,31 @@ If any accounts or groups other than the following are granted the "Perform volu - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000200 Windows Server 2019 Profile single process user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Profile single process" user right can monitor non-system processes performance. An attacker could use this to identify processes to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to include only the following accounts or groups: + SV-103171 + V-93083 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Profile single process" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12939,29 +13867,31 @@ If any accounts or groups other than the following are granted the "Profile sing - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000210 Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Restore files and directories" user right can circumvent file and directory permissions and could allow access to sensitive data. It could also be used to overwrite more current data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: + SV-103173 + V-93085 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Restore files and directories" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -12976,29 +13906,31 @@ If any accounts or groups other than the following are granted the "Restore file - + SRG-OS-000324-GPOS-00125 <GroupDescription></GroupDescription> - + WN19-UR-000220 Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group. <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. Accounts with the "Take ownership of files or other objects" user right can take ownership of objects and make changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002235 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups: + SV-103175 + V-93087 + CCI-002235 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Take ownership of files or other objects" to include only the following accounts or groups: - Administrators - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -13013,92 +13945,29 @@ If any accounts or groups other than the following are granted the "Take ownersh - - SRG-OS-000021-GPOS-00005 - <GroupDescription></GroupDescription> - - WN19-AC-000020 - Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. - <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the account lockout feature will be in protecting the local system. The number of bad logon attempts must be reasonably small to minimize the possibility of a successful password attack while allowing for honest errors made during normal user logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000044 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout threshold" to "3" or fewer invalid logon attempts (excluding "0", which is unacceptable). - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Account lockout threshold" is "0" or more than "3" attempts, this is a finding. - - - - - - - SRG-OS-000021-GPOS-00005 - <GroupDescription></GroupDescription> - - WN19-AC-000030 - Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. - <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must pass after failed logon attempts before the counter is reset to "0". The smaller this value is, the less effective the account lockout feature will be in protecting the local system. - -Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000044 - CCI-002238 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes. - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy. - -If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding. - - - - - - + SRG-OS-000329-GPOS-00128 <GroupDescription></GroupDescription> - + WN19-AC-000010 Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. <VulnDiscussion>The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an account will remain locked after the specified number of failed logon attempts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-002238 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. + V-93145 + SV-103233 + CCI-002238 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. A value of "0" is also acceptable, requiring an administrator to unlock the account. - - - + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -13111,68 +13980,27 @@ If the "Account lockout duration" is less than "15" minutes (excluding "0"), thi - - SRG-OS-000057-GPOS-00027 - <GroupDescription></GroupDescription> - - WN19-UR-000170 - Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group. - <VulnDiscussion>Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities. - -Accounts with the "Manage auditing and security log" user right can manage the security log and change auditing configurations. This could be used to clear evidence of tampering. - -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000063-GPOS-00032, SRG-OS-000337-GPOS-00129</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000162 - CCI-000163 - CCI-000164 - CCI-000171 - CCI-001914 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Manage auditing and security log" to include only the following accounts or groups: - -- Administrators - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment. - -If any accounts or groups other than the following are granted the "Manage auditing and security log" user right, this is a finding. - -- Administrators - - - - - - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN19-00-000450 Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights. <VulnDiscussion>Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there is a potential they may still have rights no longer intended. Valid domain accounts or groups may also show up as unresolved SIDs if a connection to the domain cannot be established for some reason.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy. - - - + V-93227 + SV-103315 + CCI-000366 + Remove any unresolved SIDs found in User Rights assignments and determined to not be for currently valid accounts or groups by removing the accounts or groups from the appropriate group policy. + + + Review the effective User Rights setting in Local Group Policy Editor. Run "gpedit.msc". @@ -13186,25 +14014,27 @@ If any unresolved SIDs exist and are not for currently valid accounts or groups, - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN19-SO-000030 Windows Server 2019 built-in administrator account must be renamed. <VulnDiscussion>The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator". - - - + SV-103369 + V-93281 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename administrator account" to a name other than "Administrator". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -13217,25 +14047,27 @@ If the value for "Accounts: Rename administrator account" is not set to a value - + SRG-OS-000480-GPOS-00227 <GroupDescription></GroupDescription> - + WN19-SO-000040 Windows Server 2019 built-in guest account must be renamed. <VulnDiscussion>The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allow access to system resources by unauthorized users. Renaming this account to an unidentified name improves the protection of this account and the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - DPMS Target Windows 2019 + DPMS Target MS Windows Server 2019 DISA DPMS Target - Windows 2019 - 3483 + MS Windows Server 2019 + 2907 - CCI-000366 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest". - - - + SV-103371 + V-93283 + CCI-000366 + Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Rename guest account" to a name other than "Guest". + + + Verify the effective setting in Local Group Policy Editor. Run "gpedit.msc". @@ -13244,230 +14076,6 @@ Navigate to Local Computer Policy >> Computer Configuration >> Windo If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding. - - - - - - SRG-OS-000069-GPOS-00037 - <GroupDescription></GroupDescription> - - WN19-AC-000080 - Windows Server 2019 must have the built-in Windows password complexity policy enabled. - <VulnDiscussion>The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at least three of the four types of characters (numbers, uppercase and lowercase letters, and special characters) and prevents the inclusion of user names or parts of user names. - -Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000192 - CCI-000193 - CCI-000194 - CCI-001619 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled". - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. - - - - - - - SRG-OS-000078-GPOS-00046 - <GroupDescription></GroupDescription> - - WN19-AC-000070 - Windows Server 2019 minimum password length must be configured to 14 characters. - <VulnDiscussion>Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the password, thus gaining access to the system and compromising the device, information, or the local network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000205 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters. - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for the "Minimum password length," is less than "14" characters, this is a finding. - - - - - - - SRG-OS-000073-GPOS-00041 - <GroupDescription></GroupDescription> - - WN19-AC-000090 - Windows Server 2019 reversible password encryption must be disabled. - <VulnDiscussion>Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. For this reason, this policy must never be enabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000196 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Store passwords using reversible encryption" to "Disabled". - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Store passwords using reversible encryption" is not set to "Disabled", this is a finding. - - - - - - - SRG-OS-000075-GPOS-00043 - <GroupDescription></GroupDescription> - - WN19-AC-000060 - Windows Server 2019 minimum password age must be configured to at least one day. - <VulnDiscussion>Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This enables users to effectively negate the purpose of mandating periodic password changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000198 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password age" to at least "1" day. - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for the "Minimum password age" is set to "0" days ("Password can be changed immediately"), this is a finding. - - - - - - - SRG-OS-000076-GPOS-00044 - <GroupDescription></GroupDescription> - - WN19-AC-000050 - Windows Server 2019 maximum password age must be configured to 60 days or less. - <VulnDiscussion>The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwords hinders the ability of unauthorized system users to crack passwords and gain access to a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000199 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Maximum password age" to "60" days or less (excluding "0", which is unacceptable). - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for the "Maximum password age" is greater than "60" days, this is a finding. - -If the value is set to "0" (never expires), this is a finding. - - - - - - - SRG-OS-000077-GPOS-00045 - <GroupDescription></GroupDescription> - - WN19-AC-000040 - Windows Server 2019 password history must be configured to 24 passwords remembered. - <VulnDiscussion>A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a unique password on a regularly scheduled basis. This enables users to effectively negate the purpose of mandating periodic password changes. The default value is "24" for Windows domain systems. DoD has decided this is the appropriate value for all Windows systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000200 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered. - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy. - -If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding. - - - - - - - SRG-OS-000121-GPOS-00062 - <GroupDescription></GroupDescription> - - WN19-SO-000010 - Windows Server 2019 must have the built-in guest account disabled. - <VulnDiscussion>A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - - DPMS Target Windows 2019 - DISA - DPMS Target - Windows 2019 - 3483 - - CCI-000804 - Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Accounts: Guest account status" to "Disabled". - - - - Verify the effective setting in Local Group Policy Editor. - -Run "gpedit.msc". - -Navigate to Local Computer Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options. - -If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding. - diff --git a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_STIG_V1R3_Manual-xccdf.xml b/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_STIG_V1R3_Manual-xccdf.xml deleted file mode 100644 index 167afd3f7..000000000 --- a/source/StigData/Archive/Windows.Server.2019/U_MS_Windows_Server_2019_STIG_V1R3_Manual-xccdf.xml +++ /dev/null @@ -1,6616 +0,0 @@ -acceptedWindows Server 2019 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 24 Jan 20201I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>