| V-254240 | | Windows Server 2022 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. | Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to compromise. If a fl... |
| V-254250 | | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, vo... |
| V-254262 | | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to empl... |
| V-254293 | | Windows Server 2022 reversible password encryption must be disabled. | Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. F... |
| V-254352 | | Windows Server 2022 Autoplay must be turned off for nonvolume devices. | Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the driv... |
| V-254353 | | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands. | Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.... |
| V-254354 | | Windows Server 2022 AutoPlay must be disabled for all drives. | Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. ... |
| V-254374 | | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option. | Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allo... |
| V-254378 | | Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-254381 | | Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-254385 | | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify require... |
| V-254391 | | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. | Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.... |
| V-254392 | | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. | Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
The SYSVOL directory c... |
| V-254393 | | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. | When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, up... |
| V-254394 | | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or d... |
| V-254395 | | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, up... |
| V-254399 | | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If... |
| V-254413 | | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper pra... |
| V-254414 | | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper pra... |
| V-254428 | | Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. | An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify require... |
| V-254441 | | Windows Server 2022 must be running Credential Guard on domain-joined member servers. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication... |
| V-254446 | | Windows Server 2022 must prevent local accounts with blank passwords from being used from the network. | An account without a password can allow unauthorized access to a system as only the username would be required. Password policies must prevent account... |
| V-254465 | | Windows Server 2022 must not allow anonymous SID/Name translation. | Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such t... |
| V-254466 | | Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. | Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of pot... |
| V-254467 | | Windows Server 2022 must not allow anonymous enumeration of shares. | Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential ... |
| V-254469 | | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares. | Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defin... |
| V-254474 | | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords. | The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This set... |
| V-254475 | | Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. | The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, ... |
| V-254492 | | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Act as part of the op... |
| V-254496 | | Windows Server 2022 create a token object user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Create a token object" user right a... |
| V-254500 | | Windows Server 2022 debug programs user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Debug programs" user ... |
| V-254238 | | Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session ... |
| V-254239 | | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days. | The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator ac... |
| V-254241 | | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users... |
| V-254242 | | Windows Server 2022 manually managed application account passwords must be at least 14 characters in length. | Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually man... |
| V-254243 | | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them... |
| V-254244 | | Windows Server 2022 shared user accounts must not be permitted. | Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication... |
| V-254245 | | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decre... |
| V-254246 | | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system ... |
| V-254247 | | Windows Server 2022 must be maintained at a supported servicing level. | Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems m... |
| V-254248 | | Windows Server 2022 must use an antivirus program. | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid ... |
| V-254249 | | Windows Server 2022 must have a host-based intrusion detection or prevention system. | A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense ... |
| V-254251 | | Windows Server 2022 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-254252 | | Windows Server 2022 permissions for program file directories must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-254253 | | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-254254 | | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibi... |
| V-254256 | | Windows Server 2022 outdated or unused accounts must be removed or disabled. | Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still r... |
| V-254257 | | Windows Server 2022 accounts must require passwords. | The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromis... |
| V-254258 | | Windows Server 2022 passwords must be configured to expire. | Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.... |
| V-254259 | | Windows Server 2022 system files must be monitored for unauthorized changes. | Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.... |
| V-254260 | | Windows Server 2022 nonsystem-created file shares must limit access to groups that require it. | Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to ... |
| V-254261 | | Windows Server 2022 must have software certificate installation files removed. | Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based... |
| V-254263 | | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, a... |
| V-254264 | | Windows Server 2022 must have the roles and features required by the system documented. | Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this p... |
| V-254265 | | Windows Server 2022 must have a host-based firewall installed and enabled. | A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.
Satisfies: SRG-O... |
| V-254266 | | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system compone... |
| V-254267 | | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-254268 | | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is r... |
| V-254269 | | Windows Server 2022 must not have the Fax Server role installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-254270 | | Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.... |
| V-254271 | | Windows Server 2022 must not have the Peer Name Resolution Protocol installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-254272 | | Windows Server 2022 must not have Simple TCP/IP Services installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-254273 | | Windows Server 2022 must not have the Telnet Client installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-254274 | | Windows Server 2022 must not have the TFTP Client installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-254275 | | Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-254276 | | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-254277 | | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-254278 | | Windows Server 2022 must not have Windows PowerShell 2.0 installed. | Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows... |
| V-254279 | | Windows Server 2022 FTP servers must be configured to prevent anonymous logons. | The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult.
Using a... |
| V-254280 | | Windows Server 2022 FTP servers must be configured to prevent access to the system drive. | The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, es... |
| V-254282 | | Windows Server 2022 must have orphaned security identifiers (SIDs) removed from user rights. | Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the ac... |
| V-254283 | | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional securi... |
| V-254284 | | Windows Server 2022 must have Secure Boot enabled. | Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security feature... |
| V-254285 | | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an ac... |
| V-254286 | | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the accou... |
| V-254287 | | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must ... |
| V-254288 | | Windows Server 2022 password history must be configured to 24 passwords remembered. | A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a uni... |
| V-254289 | | Windows Server 2022 maximum password age must be configured to 60 days or less. | The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwo... |
| V-254290 | | Windows Server 2022 minimum password age must be configured to at least one day. | Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This en... |
| V-254291 | | Windows Server 2022 minimum password length must be configured to 14 characters. | Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the... |
| V-254292 | | Windows Server 2022 must have the built-in Windows password complexity policy enabled. | The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at... |
| V-254294 | | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. | Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to a... |
| V-254295 | | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to a... |
| V-254296 | | Windows Server 2022 permissions for the Application event log must prevent access by nonprivileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254297 | | Windows Server 2022 permissions for the Security event log must prevent access by nonprivileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254298 | | Windows Server 2022 permissions for the System event log must prevent access by nonprivileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254299 | | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-254300 | | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254301 | | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254302 | | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254303 | | Windows Server 2022 must be configured to audit Account Management - Security Group Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254304 | | Windows Server 2022 must be configured to audit Account Management - User Account Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254305 | | Windows Server 2022 must be configured to audit Account Management - User Account Management failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254306 | | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254307 | | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254309 | | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254310 | | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254311 | | Windows Server 2022 must be configured to audit logoff successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254312 | | Windows Server 2022 must be configured to audit logon successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254313 | | Windows Server 2022 must be configured to audit logon failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254314 | | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254315 | | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254316 | | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254317 | | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254318 | | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254319 | | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254320 | | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254321 | | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254322 | | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254323 | | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254324 | | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254325 | | Windows Server 2022 must be configured to audit System - IPsec Driver successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254326 | | Windows Server 2022 must be configured to audit System - IPsec Driver failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254327 | | Windows Server 2022 must be configured to audit System - Other System Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254328 | | Windows Server 2022 must be configured to audit System - Other System Events failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254329 | | Windows Server 2022 must be configured to audit System - Security State Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254330 | | Windows Server 2022 must be configured to audit System - Security System Extension successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254331 | | Windows Server 2022 must be configured to audit System - System Integrity successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254332 | | Windows Server 2022 must be configured to audit System - System Integrity failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254333 | | Windows Server 2022 must prevent the display of slide shows on the lock screen. | Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit a... |
| V-254334 | | Windows Server 2022 must have WDigest Authentication disabled. | When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposi... |
| V-254339 | | Windows Server 2022 insecure logons to an SMB server must be disabled. | Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper acc... |
| V-254340 | | Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. | Additional security requirements are applied to UNC paths specified in hardened UNC paths before allowing access to them. This aids in preventing tamp... |
| V-254341 | | Windows Server 2022 command line data must be included in process creation events. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254342 | | Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials. | An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Rest... |
| V-254343 | | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of... |
| V-254344 | | Windows Server 2022 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can ... |
| V-254345 | | Windows Server 2022 group policy objects must be reprocessed even if they have not changed. | Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or ... |
| V-254346 | | Windows Server 2022 downloading print driver packages over HTTP must be turned off. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-254347 | | Windows Server 2022 printing over HTTP must be turned off. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-254348 | | Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen. | Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.... |
| V-254349 | | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery). | A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be require... |
| V-254350 | | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in). | A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be require... |
| V-254355 | | Windows Server 2022 administrator accounts must not be enumerated during elevation. | Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the sy... |
| V-254356 | | Windows Server 2022 Diagnostic Data must be configured to send "required diagnostic data" or "optional diagnostic data". | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability ... |
| V-254358 | | Windows Server 2022 Application event log size must be configured to 32768 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-254359 | | Windows Server 2022 Security event log size must be configured to 196608 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-254360 | | Windows Server 2022 System event log size must be configured to 32768 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-254361 | | Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled. | Microsoft Defender antivirus SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen ... |
| V-254362 | | Windows Server 2022 Explorer Data Execution Prevention must be enabled. | Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will... |
| V-254364 | | Windows Server 2022 File Explorer shell protocol must run in protected mode. | The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a... |
| V-254365 | | Windows Server 2022 must not save passwords in the Remote Desktop Client. | Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system mus... |
| V-254366 | | Windows Server 2022 Remote Desktop Services must prevent drive redirection. | Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of ... |
| V-254367 | | Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection. | This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would ... |
| V-254368 | | Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications. | Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs whe... |
| V-254369 | | Windows Server 2022 Remote Desktop Services must be configured with the client connection encryption set to High Level. | Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote... |
| V-254370 | | Windows Server 2022 must prevent attachments from being downloaded from RSS feeds. | Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.... |
| V-254371 | | Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-254372 | | Windows Server 2022 must prevent Indexing of encrypted files. | Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.... |
| V-254373 | | Windows Server 2022 must prevent users from changing installation options. | Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that ... |
| V-254375 | | Windows Server 2022 users must be notified if a web-based program attempts to install software. | Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install softw... |
| V-254376 | | Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart. | Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is ... |
| V-254377 | | Windows Server 2022 PowerShell script block logging must be enabled. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254379 | | Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic. | Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to pr... |
| V-254380 | | Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication. | Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce... |
| V-254382 | | Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic. | Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to pr... |
| V-254383 | | Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials. | Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will... |
| V-254384 | | Windows Server 2022 must have PowerShell Transcription enabled. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254386 | | Windows Server 2022 Kerberos user logon restrictions must be enforced. | This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights... |
| V-254387 | | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tick... |
| V-254388 | | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time ... |
| V-254389 | | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. | This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration li... |
| V-254390 | | Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less. | This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a se... |
| V-254396 | | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical pa... |
| V-254397 | | Windows Server 2022 domain controllers must run on a machine dedicated to that function. | Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or d... |
| V-254398 | | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the... |
| V-254401 | | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-254402 | | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-254403 | | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-254404 | | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-254405 | | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-254406 | | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-254407 | | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254408 | | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254409 | | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254410 | | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254412 | | Windows Server 2022 domain controllers must have a PKI server certificate. | Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain control... |
| V-254415 | | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of ... |
| V-254416 | | Windows Server 2022 domain controllers must require LDAP access signing. | Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifie... |
| V-254417 | | Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords. | Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords... |
| V-254418 | | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Access this computer ... |
| V-254419 | | Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Add workstations to d... |
| V-254420 | | Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Allow log on through ... |
| V-254421 | | Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny access to this computer from t... |
| V-254422 | | Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a batch job" user ri... |
| V-254423 | | Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a service" user righ... |
| V-254424 | | Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on locally" user right def... |
| V-254425 | | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on through Remote Desktop ... |
| V-254426 | | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Enable computer and user accounts t... |
| V-254427 | | The password for the krbtgt account on a domain must be reset at least every 180 days. | The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domai... |
| V-254429 | | Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers. | A compromised local administrator account can provide means for an attacker to move laterally between domain systems.
With User Account Control enabl... |
| V-254430 | | Windows Server 2022 local users on domain-joined member servers must not be enumerated. | The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this informati... |
| V-254431 | | Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems. | Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecti... |
| V-254432 | | Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers. | The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for syste... |
| V-254433 | | Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems. | The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credenti... |
| V-254434 | | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Access this computer ... |
| V-254435 | | Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny access to this computer from t... |
| V-254436 | | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a batch job" user ri... |
| V-254437 | | Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a service" user righ... |
| V-254438 | | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on locally" user right def... |
| V-254439 | | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on through Remote Desktop ... |
| V-254440 | | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Enable computer and user accounts t... |
| V-254442 | | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensur... |
| V-254443 | | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a r... |
| V-254444 | | Windows Server 2022 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a r... |
| V-254445 | | Windows Server 2022 must have the built-in guest account disabled. | A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows sys... |
| V-254447 | | Windows Server 2022 built-in administrator account must be renamed. | The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of... |
| V-254448 | | Windows Server 2022 built-in guest account must be renamed. | The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allo... |
| V-254449 | | Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-254450 | | Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypte... |
| V-254451 | | Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypte... |
| V-254452 | | Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity ch... |
| V-254453 | | Windows Server 2022 computer account password must not be prevented from being reset. | Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to m... |
| V-254454 | | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less. | Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may hav... |
| V-254455 | | Windows Server 2022 must be configured to require a strong session key. | A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hija... |
| V-254456 | | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Unattended systems are susceptible to unauthorized use and must be locked when unattended. The screen saver must be set at a maximum of 15 minutes and... |
| V-254457 | | Windows Server 2022 required legal notice must be configured to display before console logon. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Sa... |
| V-254459 | | Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the s... |
| V-254460 | | Windows Server 2022 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-254461 | | Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet ... |
| V-254462 | | Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. | Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when aut... |
| V-254463 | | Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-254464 | | Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-254468 | | Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group. | Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyon... |
| V-254470 | | Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. | Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymous... |
| V-254471 | | Windows Server 2022 must prevent NTLM from falling back to a Null session. | NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.... |
| V-254472 | | Windows Server 2022 must prevent PKU2U authentication using online identities. | PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication ... |
| V-254473 | | Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.
Note: Organizat... |
| V-254476 | | Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing. | This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the enviro... |
| V-254477 | | Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. | Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enable... |
| V-254478 | | Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. | Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enable... |
| V-254479 | | Windows Server 2022 users must be required to enter a password to access private keys stored on the computer. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-254480 | | Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific ... |
| V-254482 | | Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures th... |
| V-254483 | | Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-254484 | | Windows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures th... |
| V-254485 | | Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the ... |
| V-254486 | | Windows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Wind... |
| V-254487 | | Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Wi... |
| V-254488 | | Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.
... |
| V-254489 | | Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures no... |
| V-254490 | | Windows Server 2022 must preserve zone information when saving attachments. | Attachments from outside sources may contain malicious code. Preserving zone of origin (internet, intranet, local, restricted) information on file att... |
| V-254491 | | Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Access Credential Man... |
| V-254493 | | Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Allow log on locally"... |
| V-254494 | | Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Back up files and dir... |
| V-254495 | | Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create a pagefile" us... |
| V-254497 | | Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create global objects... |
| V-254498 | | Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create permanent shar... |
| V-254499 | | Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create symbolic links... |
| V-254501 | | Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Force shutdown from a... |
| V-254502 | | Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Generate security audits" user righ... |
| V-254503 | | Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Impersonate a client after authenti... |
| V-254504 | | Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Increase scheduling p... |
| V-254505 | | Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Load and unload device drivers" use... |
| V-254506 | | Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Lock pages in memory" user right al... |
| V-254507 | | Windows Server 2022 manage auditing and security log user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Manage auditing and s... |
| V-254508 | | Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Modify firmware envir... |
| V-254509 | | Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Perform volume mainte... |
| V-254510 | | Windows Server 2022 profile single process user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Profile single proces... |
| V-254511 | | Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Restore files and dir... |
| V-254512 | | Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Take ownership of fil... |
| V-271426 | | Windows Server 2022 must be configured for certificate-based authentication for domain controllers. | Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-l... |
| V-271427 | | Windows Server 2022 must be configured for name-based strong mappings for certificates. | Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user acc... |
| V-254255 | | Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares. | Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration... |
| V-254281 | | The Windows Server 2022 time service must synchronize with an appropriate DOD time source. | The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Wi... |
| V-254335 | | Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. | Configuring the system to disable IPv6 source routing protects against spoofing.... |
| V-254336 | | Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. | Configuring the system to disable IP source routing protects against spoofing.... |
| V-254337 | | Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path fir... |
| V-254338 | | Windows Server 2022 must be configured to ignore NetBIOS name release requests except from WINS servers. | Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sendi... |
| V-254351 | | Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-254357 | | Windows Server 2022 Windows Update must not obtain updates from other PCs on the internet. | Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs... |
| V-254363 | | Windows Server 2022 Turning off File Explorer heap termination on corruption must be disabled. | Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.... |
| V-254400 | | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity. | The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established ses... |
| V-254458 | | Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Sa... |
| V-254481 | | Windows Server 2022 default permissions of global system objects must be strengthened. | Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created wi... |
