UCF STIG Viewer Logo

Windows 10 Security Technical Implementation Guide


Overview

Date Finding Count (280)
2018-04-06 CAT I (High): 26 CAT II (Med): 232 CAT III (Low): 22
STIG Description
The Windows 10 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-63797 High The system must be configured to prevent the storage of the LAN Manager hash of passwords.
V-63651 High Solicited Remote Assistance must not be allowed.
V-63869 High The Debug programs user right must only be assigned to the Administrators group.
V-63325 High The Windows Installer Always install with elevated privileges must be disabled.
V-63353 High Local volumes must be formatted using NTFS.
V-63667 High Autoplay must be turned off for non-volume devices.
V-63759 High Anonymous access to Named Pipes and Shares must be restricted.
V-63749 High Anonymous enumeration of shares must be restricted.
V-63673 High Autoplay must be disabled for all drives.
V-63671 High The default autorun behavior must be configured to prevent autorun commands.
V-63377 High Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
V-63847 High The Act as part of the operating system user right must not be assigned to any groups or accounts.
V-78129 High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
V-63361 High Only accounts responsible for the administration of a system must have Administrator rights on the system.
V-63859 High The Create a token object user right must not be assigned to any groups or accounts.
V-63351 High The Windows 10 system must use an anti-virus program.
V-63745 High Anonymous enumeration of SAM accounts must not be allowed.
V-63429 High Reversible password encryption must be disabled.
V-68849 High Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
V-63739 High Anonymous SID/Name translation must not be allowed.
V-68845 High Data Execution Prevention (DEP) must be configured to at least OptOut.
V-63801 High The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
V-63347 High The Windows Remote Management (WinRM) service must not use Basic authentication.
V-63337 High Mobile systems must encrypt all disks to protect the confidentiality and integrity of all information at rest.
V-63349 High Windows 10 systems must be maintained at a supported servicing level.
V-63335 High The Windows Remote Management (WinRM) client must not use Basic authentication.
V-63413 Medium The period of time before the bad logon counter is reset must be configured to 15 minutes.
V-63393 Medium Software certificate installation files must be removed from a system.
V-63415 Medium The password history must be configured to 24 passwords remembered.
V-63435 Medium The system must be configured to audit Account Logon - Credential Validation successes.
V-63419 Medium The maximum password age must be configured to 60 days or less.
V-63399 Medium A host-based firewall must be installed and enabled on the system.
V-63711 Medium Unencrypted passwords must not be sent to third-party SMB Servers.
V-63713 Medium The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
V-63717 Medium The use of a hardware security device with Windows Hello for Business must be enabled.
V-63879 Medium The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-63719 Medium The Windows SMB server must be configured to always perform SMB packet signing.
V-63657 Medium Unauthenticated RPC clients must be restricted from connecting to the RPC server.
V-63881 Medium The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
V-63755 Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
V-70639 Medium The Server Message Block (SMB) v1 protocol must be disabled on the system.
V-63519 Medium The Application event log size must be configured to 32768 KB or greater.
V-71769 Medium Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
V-77267 Medium Exploit Protection mitigations in Windows 10 must be configured for wmplayer.exe.
V-77097 Medium Windows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.
V-77269 Medium Exploit Protection mitigations in Windows 10 must be configured for wordpad.exe.
V-71765 Medium Internet connection sharing must be disabled.
V-71763 Medium WDigest Authentication must be disabled.
V-63941 Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
V-71761 Medium The system must be configured to audit Policy Change - Authorization Policy Change successes.
V-72765 Medium Bluetooth must be turned off unless approved by the organization.
V-63527 Medium The System event log size must be configured to 32768 KB or greater.
V-68819 Medium PowerShell script block logging must be enabled.
V-63865 Medium The Create symbolic links user right must only be assigned to the Administrators group.
V-63329 Medium Users must be notified if a web-based program attempts to install software.
V-63487 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
V-63481 Medium The system must be configured to audit Policy Change - Authentication Policy Change successes.
V-63483 Medium The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
V-63665 Medium The system must be configured to require a strong session key.
V-63383 Medium Simple TCP/IP Services must not be installed on the system.
V-63381 Medium Simple Network Management Protocol (SNMP) must not be installed on the system.
V-63385 Medium The Telnet Client must not be installed on the system.
V-63389 Medium The TFTP Client must not be installed on the system.
V-63669 Medium The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
V-74699 Medium Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
V-63467 Medium The system must be configured to audit Logon/Logoff - Logon successes.
V-63871 Medium The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
V-63873 Medium The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-63463 Medium The system must be configured to audit Logon/Logoff - Logon failures.
V-63875 Medium The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
V-63723 Medium The Windows SMB server must perform SMB packet signing when possible.
V-63877 Medium The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
V-63707 Medium The Windows SMB client must be enabled to perform SMB packet signing when possible.
V-63705 Medium InPrivate browsing in Microsoft Edge must be disabled.
V-63703 Medium The Windows SMB client must be configured to always perform SMB packet signing.
V-63469 Medium The system must be configured to audit Logon/Logoff - Special Logon successes.
V-63701 Medium Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
V-63423 Medium Passwords must, at a minimum, be 14 characters.
V-63863 Medium The Create permanent shared objects user right must not be assigned to any groups or accounts.
V-63699 Medium Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
V-77259 Medium Exploit Protection mitigations in Windows 10 must be configured for VPREVIEW.EXE.
V-77255 Medium Exploit Protection mitigations in Windows 10 must be configured for VISIO.EXE.
V-63861 Medium The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-63499 Medium The system must be configured to audit System - Other System Events successes.
V-63319 Medium Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
V-63555 Medium IPv6 source routing must be configured to highest protection.
V-63559 Medium The system must be configured to prevent IP source routing.
V-63491 Medium The system must be configured to audit System - IPSec Driver failures.
V-63495 Medium The system must be configured to audit System - IPSec Driver successes.
V-63677 Medium Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
V-63675 Medium The required legal notice must be configured to display before console logon.
V-63375 Medium The Windows Remote Management (WinRM) service must not store RunAs credentials.
V-63679 Medium Administrator accounts must not be enumerated during elevation.
V-63373 Medium Permissions for system files and directories must conform to minimum requirements.
V-63371 Medium Accounts must be configured to require password expiration.
V-63475 Medium The system must be configured to audit Policy Change - Audit Policy Change failures.
V-63471 Medium The system must be configured to audit Object Access - Removable Storage failures.
V-63473 Medium The system must be configured to audit Object Access - Removable Storage successes.
V-63845 Medium The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
V-63841 Medium Zone information must be preserved when saving attachments.
V-63479 Medium The system must be configured to audit Policy Change - Audit Policy Change successes.
V-63843 Medium The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
V-77249 Medium Exploit Protection mitigations in Windows 10 must be configured for PPTVIEW.EXE.
V-77243 Medium Exploit Protection mitigations in Windows 10 must be configured for OUTLOOK.EXE.
V-77247 Medium Exploit Protection mitigations in Windows 10 must be configured for POWERPNT.EXE.
V-77245 Medium Exploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.
V-63541 Medium Permissions for the System event log must prevent access by non-privileged accounts.
V-63545 Medium Camera access from the lock screen must be disabled.
V-63549 Medium The display of slide shows on the lock screen must be disabled.
V-63933 Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
V-63369 Medium The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
V-63689 Medium Explorer Data Execution Prevention must be enabled.
V-63365 Medium Users must not be allowed to run virtual machines in Hyper-V on the system.
V-63685 Medium The Windows Defender SmartScreen for Explorer must be enabled.
V-63683 Medium Windows Telemetry must be configured to Security or Basic.
V-63363 Medium Only accounts responsible for the backup operations must be members of the Backup Operators group.
V-63441 Medium The system must be configured to audit Account Management - Other Account Management Events successes.
V-72769 Medium The system must notify the user when a Bluetooth device attempts to connect.
V-63445 Medium The system must be configured to audit Account Management - Security Group Management successes.
V-63447 Medium The system must be configured to audit Account Management - User Account Management failures.
V-63449 Medium The system must be configured to audit Account Management - User Account Management successes.
V-63853 Medium The Back up files and directories user right must only be assigned to the Administrators group.
V-63763 Medium Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
V-63765 Medium NTLM must be prevented from falling back to a Null session.
V-63609 Medium Group Policy objects must be reprocessed even if they have not changed.
V-63767 Medium PKU2U authentication using online identities must be prevented.
V-63607 Medium Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
V-63355 Medium Alternate operating systems must not be permitted on the same system.
V-63725 Medium The use of OneDrive for storage must be disabled.
V-72329 Medium Run as different user must be removed from context menus.
V-63579 Medium The DoD Root CA certificates must be installed in the Trusted Root Store.
V-77239 Medium Exploit Protection mitigations in Windows 10 must be configured for OIS.EXE.
V-63633 Medium Local users on domain-joined computers must not be enumerated.
V-77235 Medium Exploit Protection mitigations in Windows 10 must be configured for OneDrive.exe.
V-77025 Medium Users must be prevented from making changes to Exploit Protection settings in the Windows Defender Security Center on Windows 10.
V-77233 Medium Exploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.
V-77095 Medium Windows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.
V-77231 Medium Exploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.
V-63721 Medium Windows 10 must be configured to require a minimum pin length of six characters or greater.
V-63751 Medium Indexing of encrypted files must be turned off.
V-63601 Medium The built-in administrator account must be disabled.
V-63753 Medium The system must be configured to prevent the storage of passwords and credentials.
V-63695 Medium File Explorer shell protocol must run in protected mode.
V-63515 Medium The system must be configured to audit System - System Integrity failures.
V-63697 Medium The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
V-63513 Medium The system must be configured to audit System - Security System Extension successes.
V-63357 Medium Non system-created file shares on a system must limit access to groups that require it.
V-72767 Medium Bluetooth must be turned off when not in use.
V-63597 Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
V-63615 Medium Downloading print driver packages over HTTP must be prevented.
V-63617 Medium Local accounts with blank passwords must be restricted to prevent access from the network.
V-63593 Medium Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
V-63611 Medium The built-in guest account must be disabled.
V-63591 Medium Wi-Fi Sense must be disabled.
V-63459 Medium The system must be configured to audit Logon/Logoff - Logoff successes.
V-63457 Medium The system must be configured to audit Logon/Logoff - Group Membership successes.
V-63455 Medium The system must be configured to audit Logon/Logoff - Account Lockout successes.
V-63619 Medium The built-in administrator account must be renamed.
V-63451 Medium The system must be configured to audit Detailed Tracking - PNP Activity successes.
V-63321 Medium Users must be prevented from changing installation options.
V-63851 Medium The Allow log on locally user right must only be assigned to the Administrators and Users groups.
V-63829 Medium User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
V-76505 Medium Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
V-63827 Medium User Account Control must only elevate UIAccess applications that are installed in secure locations.
V-63825 Medium User Account Control must be configured to detect application installations and prompt for elevation.
V-77101 Medium Windows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.
V-63821 Medium User Account Control must automatically deny elevation requests for standard users.
V-63857 Medium The Create a pagefile user right must only be assigned to the Administrators group.
V-63569 Medium Insecure logons to an SMB server must be disabled.
V-63855 Medium The Change the system time user right must only be assigned to Administrators and Local Service.
V-77189 Medium Exploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.
V-71759 Medium The system must be configured to audit Logon/Logoff - Account Lockout failures.
V-63523 Medium The Security event log size must be configured to 1024000 KB or greater.
V-63743 Medium Attachments must be prevented from being downloaded from RSS feeds.
V-63741 Medium Remote Desktop Services must be configured with the client connection encryption set to the required level.
V-63747 Medium Basic authentication for RSS feeds over HTTP must not be used.
V-63507 Medium The system must be configured to audit System - Security State Change successes.
V-77091 Medium Windows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.
V-63503 Medium The system must be configured to audit System - Other System Events failures.
V-63621 Medium Web publishing and online ordering wizards must be prevented from downloading a list of providers.
V-63585 Medium Connections to non-domain networks when connected to a domain authenticated network must be blocked.
V-63587 Medium The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
V-63625 Medium The built-in guest account must be renamed.
V-63581 Medium Simultaneous connections to the Internet or a Windows domain must be limited.
V-63627 Medium Systems must at least attempt device authentication using certificates.
V-63583 Medium The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
V-63629 Medium The network selection user interface (UI) must not be displayed on the logon screen.
V-63421 Medium The minimum password age must be configured to at least 1 day.
V-63931 Medium The Modify firmware environment values user right must only be assigned to the Administrators group.
V-63589 Medium The US DoD CCEB Interoperability Root CA cross-certificate must be installed in the Untrusted Certificates Store on unclassified systems.
V-63935 Medium The Profile single process user right must only be assigned to the Administrators group.
V-77227 Medium Exploit Protection mitigations in Windows 10 must be configured for lync.exe.
V-63453 Medium The system must be configured to audit Detailed Tracking - Process Creation successes.
V-63831 Medium User Account Control must virtualize file and registry write failures to per-user locations.
V-77221 Medium Exploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.
V-77191 Medium Exploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.
V-63729 Medium Passwords must not be saved in the Remote Desktop Client.
V-77195 Medium Exploit Protection mitigations in Windows 10 must be configured for chrome.exe.
V-74725 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
V-63709 Medium The password manager function in the Edge browser must be disabled.
V-77223 Medium Exploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.
V-74721 Medium Windows 10 must be configured to audit Object Access - File Share successes.
V-77217 Medium Exploit Protection mitigations in Windows 10 must be configured for iexplore.exe.
V-74723 Medium The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
V-77209 Medium Exploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.
V-63533 Medium Permissions for the Application event log must prevent access by non-privileged accounts.
V-63537 Medium Permissions for the Security event log must prevent access by non-privileged accounts.
V-63737 Medium The Remote Desktop Session Host must require secure RPC communications.
V-63733 Medium Remote Desktop Services must always prompt a client for passwords upon connection.
V-63731 Medium Local drives must be prevented from sharing with Remote Desktop Session Hosts.
V-63639 Medium Outgoing secure channel traffic must be encrypted or signed.
V-63939 Medium The Restore files and directories user right must only be assigned to the Administrators group.
V-63431 Medium The system must be configured to audit Account Logon - Credential Validation failures.
V-63635 Medium Audit policy using subcategories must be enabled.
V-63927 Medium The Manage auditing and security log user right must only be assigned to the Administrators group.
V-63925 Medium The Lock pages in memory user right must not be assigned to any groups or accounts.
V-77205 Medium Exploit Protection mitigations in Windows 10 must be configured for firefox.exe.
V-74413 Medium Windows 10 must be configured to prioritize ECC Curves with longer key lengths first.
V-63803 Medium The system must be configured to the required LDAP client signing level.
V-74411 Medium Windows 10 must be configured to audit Object Access - Other Object Access Events successes.
V-63805 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
V-74417 Medium Windows 10 must be configured to disable Windows Game Recording and Broadcasting.
V-63807 Medium The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
V-74415 Medium Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit.
V-74719 Medium The Secondary Logon service must be disabled on Windows 10.
V-63883 Medium The Force shutdown from a remote system user right must only be assigned to the Administrators group.
V-63345 Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
V-63343 Medium The operating system must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
V-63887 Medium The Generate security audits user right must only be assigned to Local Service and Network Service.
V-63341 Medium The Windows Remote Management (WinRM) client must not use Digest authentication.
V-77213 Medium Exploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.
V-63405 Medium Windows 10 account lockout duration must be configured to 15 minutes or greater.
V-63889 Medium The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
V-63403 Medium Inbound exceptions to the firewall on domain workstations must only allow authorized remote management hosts.
V-63409 Medium The number of allowed bad logon attempts must be configured to 3 or less.
V-68817 Medium Command line data must be included in process creation events.
V-63817 Medium User Account Control approval mode for the built-in Administrator must be enabled.
V-63649 Medium The user must be prompted for a password on resume from sleep (plugged in).
V-63795 Medium Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
V-63811 Medium The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
V-63643 Medium Outgoing secure channel traffic must be encrypted when possible.
V-63647 Medium Outgoing secure channel traffic must be signed when possible.
V-63577 Medium Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
V-63645 Medium Users must be prompted for a password on resume from sleep (on battery).
V-63819 Medium User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
V-77263 Medium Exploit Protection mitigations in Windows 10 must be configured for WINWORD.EXE.
V-74409 Medium Windows 10 must be configured to audit Object Access - Other Object Access Events failures.
V-77201 Medium Exploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.
V-63623 Medium Printing over HTTP must be prevented.
V-63333 Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled.
V-77103 Medium Windows 10 Exploit Protection system-level mitigation, Validate heap integrity, must be on.
V-75027 Medium Windows 10 must be configured to audit Object Access - File Share failures.
V-63917 Medium The Load and unload device drivers user right must only be assigned to the Administrators group.
V-63427 Medium The built-in Microsoft password complexity filter must be enabled.
V-63339 Medium The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
V-63891 Medium The Increase scheduling priority user right must only be assigned to the Administrators group.
V-63517 Medium The system must be configured to audit System - System Integrity successes.
V-70637 Medium The Windows PowerShell 2.0 feature must be disabled on the system.
V-63659 Low The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
V-63715 Low The amount of idle time required before suspending a session must be configured to 15 minutes or less.
V-63653 Low The computer account password must not be prevented from being reset.
V-63323 Low Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
V-63661 Low The maximum age for machine account passwords must be configured to 30 days or less.
V-63663 Low The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
V-77085 Low Secure Boot must be enabled on Windows 10 systems.
V-77083 Low Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
V-71771 Low Microsoft consumer experiences must be turned off.
V-63687 Low Caching of logon credentials must be limited.
V-63367 Low Standard local user accounts must not exist on a system in a domain.
V-63681 Low The Windows dialog box title for the legal banner must be configured.
V-63603 Low Virtualization-based protection of code integrity must be enabled.
V-63359 Low Unused accounts must be disabled or removed from the system after 35 days of inactivity.
V-63691 Low Turning off File Explorer heap termination on corruption must be disabled.
V-63595 Low Virtualization Based Security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
V-63599 Low Credential Guard must be running on domain-joined systems.
V-63563 Low The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
V-63567 Low The system must be configured to ignore NetBIOS name release requests except from WINS servers.
V-63839 Low Toast notifications to the lock screen must be turned off.
V-65681 Low Windows Update must not obtain updates from other PCs on the Internet.
V-63815 Low The default permissions of global system objects must be increased.