UCF STIG Viewer Logo

Windows 10 Security Technical Implementation Guide


Overview

Date Finding Count (257)
2021-08-18 CAT I (High): 26 CAT II (Med): 213 CAT III (Low): 18
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-220708 High Local volumes must be formatted using NTFS.
V-220706 High Windows 10 systems must be maintained at a supported servicing level.
V-220707 High The Windows 10 system must use an anti-virus program.
V-220932 High Anonymous access to Named Pipes and Shares must be restricted.
V-220930 High Anonymous enumeration of shares must be restricted.
V-220937 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-220938 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-220718 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
V-220823 High Solicited Remote Assistance must not be allowed.
V-220712 High Only accounts responsible for the administration of a system must have Administrator rights on the system.
V-220828 High The default autorun behavior must be configured to prevent autorun commands.
V-220726 High Data Execution Prevention (DEP) must be configured to at least OptOut.
V-220727 High Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
V-220857 High The Windows Installer Always install with elevated privileges must be disabled.
V-220737 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-220967 High The Debug programs user right must only be assigned to the Administrators group.
V-220963 High The Create a token object user right must not be assigned to any groups or accounts.
V-220747 High Reversible password encryption must be disabled.
V-220862 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-220865 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-220958 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-220812 High Credential Guard must be running on Windows 10 domain-joined systems.
V-220827 High Autoplay must be turned off for non-volume devices.
V-220928 High Anonymous SID/Name translation must not be allowed.
V-220929 High Anonymous enumeration of SAM accounts must not be allowed.
V-220829 High Autoplay must be disabled for all drives.
V-220709 Medium Alternate operating systems must not be permitted on the same system.
V-220830 Medium Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
V-220836 Medium The Windows Defender SmartScreen for Explorer must be enabled.
V-220837 Medium Explorer Data Execution Prevention must be enabled.
V-220834 Medium Windows Telemetry must not be configured to Full.
V-220833 Medium If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
V-220701 Medium Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-220702 Medium Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
V-220703 Medium Windows 10 systems must use a BitLocker PIN for pre-boot authentication.
V-220704 Medium Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication.
V-220705 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-220933 Medium Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
V-220931 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-220936 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-220935 Medium PKU2U authentication using online identities must be prevented.
V-220934 Medium NTLM must be prevented from falling back to a Null session.
V-220939 Medium The system must be configured to the required LDAP client signing level.
V-220742 Medium The password history must be configured to 24 passwords remembered.
V-220779 Medium The Application event log size must be configured to 32768 KB or greater.
V-220778 Medium The system must be configured to audit System - System Integrity successes.
V-220775 Medium The system must be configured to audit System - Security State Change successes.
V-220774 Medium The system must be configured to audit System - Other System Events failures.
V-220777 Medium The system must be configured to audit System - System Integrity failures.
V-220776 Medium The system must be configured to audit System - Security System Extension successes.
V-220771 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-220773 Medium The system must be configured to audit System - Other System Events successes.
V-220772 Medium The system must be configured to audit System - IPSec Driver failures.
V-220824 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-220719 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
V-220821 Medium Users must be prompted for a password on resume from sleep (on battery).
V-220820 Medium Local users on domain-joined computers must not be enumerated.
V-220822 Medium The user must be prompted for a password on resume from sleep (plugged in).
V-220713 Medium Only accounts responsible for the backup operations must be members of the Backup Operators group.
V-220710 Medium Non system-created file shares on a system must limit access to groups that require it.
V-220717 Medium Permissions for system files and directories must conform to minimum requirements.
V-220714 Medium Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
V-220906 Medium The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-220907 Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-220904 Medium The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
V-220905 Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-220902 Medium Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.
V-220903 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-220908 Medium The built-in administrator account must be disabled.
V-220909 Medium The built-in guest account must be disabled.
V-220982 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-220983 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-220980 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-220981 Medium The Profile single process user right must only be assigned to the Administrators group.
V-220780 Medium The Security event log size must be configured to 1024000 KB or greater.
V-220781 Medium The System event log size must be configured to 32768 KB or greater.
V-220782 Medium Windows 10 permissions for the Application event log must prevent access by non-privileged accounts.
V-220783 Medium Windows 10 permissions for the Security event log must prevent access by non-privileged accounts.
V-220784 Medium Windows 10 permissions for the System event log must prevent access by non-privileged accounts.
V-220785 Medium Windows 10 must be configured to audit Other Policy Change Events Successes.
V-220786 Medium Windows 10 must be configured to audit Other Policy Change Events Failures.
V-220787 Medium Windows 10 must be configured to audit other Logon/Logoff Events Successes.
V-220788 Medium Windows 10 must be configured to audit other Logon/Logoff Events Failures.
V-220789 Medium Windows 10 must be configured to audit Detailed File Share Failures.
V-220839 Medium File Explorer shell protocol must run in protected mode.
V-220919 Medium The system must be configured to require a strong session key.
V-220728 Medium The Windows PowerShell 2.0 feature must be disabled on the system.
V-220729 Medium The Server Message Block (SMB) v1 protocol must be disabled on the system.
V-220724 Medium A host-based firewall must be installed and enabled on the system.
V-220725 Medium Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
V-220915 Medium Outgoing secure channel traffic must be encrypted when possible.
V-220914 Medium Outgoing secure channel traffic must be encrypted or signed.
V-220720 Medium Simple TCP/IP Services must not be installed on the system.
V-220721 Medium The Telnet Client must not be installed on the system.
V-220850 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-220851 Medium The Remote Desktop Session Host must require secure RPC communications.
V-220852 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-220853 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-220854 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-220855 Medium Indexing of encrypted files must be turned off.
V-220856 Medium Users must be prevented from changing installation options.
V-220858 Medium Users must be notified if a web-based program attempts to install software.
V-220859 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-220755 Medium The system must be configured to audit Logon/Logoff - Account Lockout failures.
V-220734 Medium Bluetooth must be turned off unless approved by the organization.
V-220866 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-220793 Medium Windows 10 must cover or disable the built-in or attached camera when not in use.
V-220792 Medium Camera access from the lock screen must be disabled.
V-220791 Medium Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.
V-220790 Medium Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
V-220796 Medium The system must be configured to prevent IP source routing.
V-220795 Medium IPv6 source routing must be configured to highest protection.
V-220794 Medium The display of slide shows on the lock screen must be disabled.
V-220799 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-220731 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-220730 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-220733 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
V-220732 Medium The Secondary Logon service must be disabled on Windows 10.
V-220735 Medium Bluetooth must be turned off when not in use.
V-220969 Medium The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-220736 Medium The system must notify the user when a Bluetooth device attempts to connect.
V-220739 Medium Windows 10 account lockout duration must be configured to 15 minutes or greater.
V-220738 Medium Windows 10 non-persistent VM sessions should not exceed 24 hours.
V-220966 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-220960 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-220961 Medium The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
V-220962 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-220843 Medium The password manager function in the Edge browser must be disabled.
V-220842 Medium Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
V-220841 Medium Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
V-220840 Medium Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
V-220847 Medium Windows 10 must be configured to require a minimum pin length of six characters or greater.
V-220846 Medium The use of a hardware security device with Windows Hello for Business must be enabled.
V-220845 Medium Windows 10 must be configured to disable Windows Game Recording and Broadcasting.
V-220844 Medium The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
V-220849 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-220848 Medium Passwords must not be saved in the Remote Desktop Client.
V-220926 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-220832 Medium Administrator accounts must not be enumerated during elevation.
V-220744 Medium The minimum password age must be configured to at least 1 day.
V-220745 Medium Passwords must, at a minimum, be 14 characters.
V-220746 Medium The built-in Microsoft password complexity filter must be enabled.
V-220740 Medium The number of allowed bad logon attempts must be configured to 3 or less.
V-220741 Medium The period of time before the bad logon counter is reset must be configured to 15 minutes.
V-220979 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-220978 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-220977 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-220976 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-220975 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-220974 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-220748 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-220749 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-220971 Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-220970 Medium The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-220968 Medium The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-220870 Medium The convenience PIN for Windows 10 must be disabled.
V-220871 Medium Windows Ink Workspace must be configured to disallow access above the lock.
V-220818 Medium Systems must at least attempt device authentication using certificates.
V-220819 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-220800 Medium WDigest Authentication must be disabled.
V-220911 Medium The built-in administrator account must be renamed.
V-220910 Medium Local accounts with blank passwords must be restricted to prevent access from the network.
V-220810 Medium Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
V-220913 Medium Audit policy using subcategories must be enabled.
V-250318 Medium PowerShell Transcription must be enabled on Windows 10.
V-220757 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-220756 Medium The system must be configured to audit Logon/Logoff - Group Membership successes.
V-220940 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-220941 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-220753 Medium The system must be configured to audit Detailed Tracking - PNP Activity successes.
V-220752 Medium The system must be configured to audit Account Management - User Account Management successes.
V-220751 Medium The system must be configured to audit Account Management - User Account Management failures.
V-220750 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-220861 Medium The Windows Explorer Preview pane must be disabled for Windows 10.
V-220722 Medium The TFTP Client must not be installed on the system.
V-220863 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-220759 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-220723 Medium Software certificate installation files must be removed from Windows 10.
V-220916 Medium Outgoing secure channel traffic must be signed when possible.
V-250319 Medium Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-220912 Medium The built-in guest account must be renamed.
V-220964 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-220770 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-220955 Medium Zone information must be preserved when saving attachments.
V-220957 Medium The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
V-220956 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-220951 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-220950 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-220952 Medium Passwords for enabled local Administrator accounts must be changed at least every 60 days.
V-220814 Medium Group Policy objects must be reprocessed even if they have not changed.
V-220815 Medium Downloading print driver packages over HTTP must be prevented.
V-220816 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
V-220817 Medium Printing over HTTP must be prevented.
V-220959 Medium The Allow log on locally user right must only be assigned to the Administrators and Users groups.
V-220813 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
V-220868 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-220754 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-220973 Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
V-220946 Medium Windows 10 must use multifactor authentication for local and network access to privileged and non-privileged accounts.
V-220947 Medium User Account Control must automatically deny elevation requests for standard users.
V-220743 Medium The maximum password age must be configured to 60 days or less.
V-220944 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-220965 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-220945 Medium User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
V-220697 Medium Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
V-220972 Medium The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-220860 Medium PowerShell script block logging must be enabled on Windows 10.
V-220948 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-220698 Medium Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-220699 Medium Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-220942 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-220949 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-220809 Medium Command line data must be included in process creation events.
V-220808 Medium Wi-Fi Sense must be disabled.
V-220807 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
V-220806 Medium Simultaneous connections to the Internet or a Windows domain must be limited.
V-220805 Medium Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.
V-220803 Medium Internet connection sharing must be disabled.
V-220802 Medium Insecure logons to an SMB server must be disabled.
V-220801 Medium Run as different user must be removed from context menus.
V-220716 Medium Accounts must be configured to require password expiration.
V-220920 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-220921 Medium The required legal notice must be configured to display before console logon.
V-220924 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-220925 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-220869 Medium Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.
V-220927 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-220758 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-220867 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-220768 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-220769 Medium The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-220762 Medium Windows 10 must be configured to audit Object Access - File Share successes.
V-220763 Medium Windows 10 must be configured to audit Object Access - Other Object Access Events successes.
V-220760 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-220761 Medium Windows 10 must be configured to audit Object Access - File Share failures.
V-220766 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-220767 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-220764 Medium Windows 10 must be configured to audit Object Access - Other Object Access Events failures.
V-220765 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-220831 Low Microsoft consumer experiences must be turned off.
V-220700 Low Secure Boot must be enabled on Windows 10 systems.
V-220835 Low Windows Update must not obtain updates from other PCs on the Internet.
V-220838 Low Turning off File Explorer heap termination on corruption must be disabled.
V-220825 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
V-220711 Low Unused accounts must be disabled or removed from the system after 35 days of inactivity.
V-220715 Low Standard local user accounts must not exist on a system in a domain.
V-220918 Low The maximum age for machine account passwords must be configured to 30 days or less.
V-220797 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-220798 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-220826 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-220872 Low Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.
V-220917 Low The computer account password must not be prevented from being reset.
V-220811 Low Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-220954 Low Toast notifications to the lock screen must be turned off.
V-220922 Low The Windows dialog box title for the legal banner must be configured.
V-220923 Low Caching of logon credentials must be limited.
V-220943 Low The default permissions of global system objects must be increased.