| V-205646 | | Windows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper pra... |
| V-205647 | | Windows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper pra... |
| V-205653 | | Windows Server 2019 reversible password encryption must be disabled. | Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. F... |
| V-205654 | | Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords. | The LAN Manager hash uses a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. This set... |
| V-205663 | | Windows Server 2019 local volumes must use a format that supports NTFS attributes. | The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, vo... |
| V-205711 | | Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-205713 | | Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-205724 | | Windows Server 2019 must not allow anonymous enumeration of shares. | Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential ... |
| V-205725 | | Windows Server 2019 must restrict anonymous access to Named Pipes and Shares. | Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defin... |
| V-205727 | | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to empl... |
| V-205738 | | Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify require... |
| V-205739 | | Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access. | Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.... |
| V-205740 | | Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions. | Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
The SYSVOL directory c... |
| V-205741 | | Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. | When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, up... |
| V-205742 | | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or d... |
| V-205743 | | Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, up... |
| V-205746 | | Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. | An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify require... |
| V-205750 | | Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Act as part of the op... |
| V-205753 | | Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Create a token object" user right a... |
| V-205757 | | Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Debug programs" user ... |
| V-205802 | | Windows Server 2019 must disable the Windows Installer Always install with elevated privileges option. | Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allo... |
| V-205804 | | Windows Server 2019 Autoplay must be turned off for non-volume devices. | Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the driv... |
| V-205805 | | Windows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands. | Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.... |
| V-205806 | | Windows Server 2019 AutoPlay must be disabled for all drives. | Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. ... |
| V-205844 | | Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session ... |
| V-205845 | | Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a fl... |
| V-205849 | | Windows Server 2019 must be maintained at a supported servicing level. | Systems at unsupported servicing levels will not receive security updates for new vulnerabilities, which leave them subject to exploitation. Systems m... |
| V-205850 | | Windows Server 2019 must use an anti-virus program. | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid ... |
| V-205875 | | Windows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. | To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If... |
| V-205907 | | Windows Server 2019 must be running Credential Guard on domain-joined member servers. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication... |
| V-205908 | | Windows Server 2019 must prevent local accounts with blank passwords from being used from the network. | An account without a password can allow unauthorized access to a system as only the username would be required. Password policies should prevent accou... |
| V-205913 | | Windows Server 2019 must not allow anonymous SID/Name translation. | Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such t... |
| V-205914 | | Windows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. | Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of pot... |
| V-205919 | | Windows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. | The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, ... |
| V-205624 | | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-205625 | | Windows Server 2019 must be configured to audit Account Management - Security Group Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205626 | | Windows Server 2019 must be configured to audit Account Management - User Account Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205627 | | Windows Server 2019 must be configured to audit Account Management - User Account Management failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205628 | | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205629 | | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the accou... |
| V-205630 | | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that must ... |
| V-205631 | | Windows Server 2019 required legal notice must be configured to display before console logon. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Sa... |
| V-205633 | | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Unattended systems are susceptible to unauthorized use and should be locked when unattended. The screen saver should be set at a maximum of 15 minutes... |
| V-205634 | | Windows Server 2019 must be configured to audit logon successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205635 | | Windows Server 2019 must be configured to audit logon failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205636 | | Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications. | Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs whe... |
| V-205637 | | Windows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level. | Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote... |
| V-205638 | | Windows Server 2019 command line data must be included in process creation events. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205639 | | Windows Server 2019 PowerShell script block logging must be enabled. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205640 | | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205641 | | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205642 | | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205643 | | Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Manage auditing and s... |
| V-205644 | | Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205645 | | Windows Server 2019 domain controllers must have a PKI server certificate. | Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain control... |
| V-205648 | | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root CAs. The DoD root certificates will ensur... |
| V-205649 | | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a r... |
| V-205650 | | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a r... |
| V-205651 | | Windows Server 2019 users must be required to enter a password to access private keys stored on the computer. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-205652 | | Windows Server 2019 must have the built-in Windows password complexity policy enabled. | The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at... |
| V-205655 | | Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. | Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when aut... |
| V-205656 | | Windows Server 2019 minimum password age must be configured to at least one day. | Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This en... |
| V-205657 | | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days. | The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator ac... |
| V-205658 | | Windows Server 2019 passwords must be configured to expire. | Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.... |
| V-205659 | | Windows Server 2019 maximum password age must be configured to 60 days or less. | The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwo... |
| V-205660 | | Windows Server 2019 password history must be configured to 24 passwords remembered. | A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a uni... |
| V-205661 | | Windows Server 2019 manually managed application account passwords must be at least 14 characters in length. | Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually man... |
| V-205662 | | Windows Server 2019 minimum password length must be configured to 14 characters. | Information systems not protected with strong password schemes (including passwords of minimum length) provide the opportunity for anyone to crack the... |
| V-205665 | | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and
Enterprise Domain Controllers groups on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Access this computer ... |
| V-205666 | | Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Allow log on through ... |
| V-205667 | | Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny access to this computer from t... |
| V-205668 | | Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a batch job" user ri... |
| V-205669 | | Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a service" user righ... |
| V-205670 | | Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on locally" user right def... |
| V-205671 | | Windows Server 2019 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Access this computer ... |
| V-205672 | | Windows Server 2019 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny access to this computer from t... |
| V-205673 | | Windows Server 2019 "Deny log on as a batch job" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a batch job" user ri... |
| V-205674 | | Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on as a service" user righ... |
| V-205675 | | Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on locally" user right def... |
| V-205676 | | Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Allow log on locally"... |
| V-205677 | | Windows Server 2019 must have the roles and features required by the system documented. | Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this p... |
| V-205678 | | Windows Server 2019 must not have the Fax Server role installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-205679 | | Windows Server 2019 must not have the Peer Name Resolution Protocol installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-205680 | | Windows Server 2019 must not have Simple TCP/IP Services installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-205681 | | Windows Server 2019 must not have the TFTP Client installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-205682 | | Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-205683 | | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-205684 | | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-205685 | | Windows Server 2019 must not have Windows PowerShell 2.0 installed. | Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows... |
| V-205686 | | Windows Server 2019 must prevent the display of slide shows on the lock screen. | Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit a... |
| V-205687 | | Windows Server 2019 must have WDigest Authentication disabled. | When the WDigest Authentication protocol is enabled, plain-text passwords are stored in the Local Security Authority Subsystem Service (LSASS), exposi... |
| V-205688 | | Windows Server 2019 downloading print driver packages over HTTP must be turned off. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-205689 | | Windows Server 2019 printing over HTTP must be turned off. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-205690 | | Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen. | Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.... |
| V-205692 | | Windows Server 2019 Windows Defender SmartScreen must be enabled. | Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen can block po... |
| V-205693 | | Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-205694 | | Windows Server 2019 must prevent Indexing of encrypted files. | Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.... |
| V-205695 | | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or d... |
| V-205696 | | Windows Server 2019 local users on domain-joined member servers must not be enumerated. | The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this informati... |
| V-205697 | | Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.... |
| V-205698 | | Windows Server 2019 must not have the Telnet Client installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-205699 | | Windows Server 2019 shared user accounts must not be permitted. | Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication... |
| V-205700 | | Windows Server 2019 accounts must require passwords. | The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromis... |
| V-205701 | | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of ... |
| V-205702 | | Windows Server 2019 Kerberos user logon restrictions must be enforced. | This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights... |
| V-205703 | | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tick... |
| V-205704 | | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time ... |
| V-205705 | | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. | This setting determines the period of time (in days) during which a user's TGT may be renewed. This security configuration limits the amount of time a... |
| V-205706 | | Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less. | This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a se... |
| V-205707 | | Windows Server 2019 outdated or unused accounts must be removed or disabled. | Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still r... |
| V-205708 | | Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.
Note: Organizat... |
| V-205709 | | Windows Server 2019 must have the built-in guest account disabled. | A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows sys... |
| V-205710 | | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is r... |
| V-205712 | | Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication. | Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce... |
| V-205714 | | Windows Server 2019 administrator accounts must not be enumerated during elevation. | Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the sy... |
| V-205715 | | Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers. | A compromised local administrator account can provide means for an attacker to move laterally between domain systems.
With User Account Control enabl... |
| V-205716 | | Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-205717 | | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-205718 | | Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-205719 | | Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Wi... |
| V-205720 | | Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures no... |
| V-205721 | | Windows Server 2019 non-system-created file shares must limit access to groups that require it. | Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to ... |
| V-205722 | | Windows Server 2019 Remote Desktop Services must prevent drive redirection. | Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of ... |
| V-205723 | | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files. | When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical pa... |
| V-205728 | | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system compone... |
| V-205730 | | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205731 | | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-205732 | | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on through Remote Desktop ... |
| V-205733 | | Windows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Deny log on through Remote Desktop ... |
| V-205734 | | Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-205735 | | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-205736 | | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-205737 | | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibi... |
| V-205744 | | Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Add workstations to d... |
| V-205745 | | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Enable computer and user accounts t... |
| V-205747 | | Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems. | The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credenti... |
| V-205748 | | Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Enable computer and user accounts t... |
| V-205749 | | Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Access Credential Man... |
| V-205751 | | Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Back up files and dir... |
| V-205752 | | Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create a pagefile" us... |
| V-205754 | | Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create global objects... |
| V-205755 | | Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create permanent shar... |
| V-205756 | | Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Create symbolic links... |
| V-205758 | | Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Force shutdown from a... |
| V-205759 | | Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Generate security audits" user righ... |
| V-205760 | | Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Impersonate a client after authenti... |
| V-205761 | | Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Increase scheduling p... |
| V-205762 | | Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Load and unload device drivers" use... |
| V-205763 | | Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
The "Lock pages in memory" user right al... |
| V-205764 | | Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Modify firmware envir... |
| V-205765 | | Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Perform volume mainte... |
| V-205766 | | Windows Server 2019 Profile single process user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Profile single proces... |
| V-205767 | | Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Restore files and dir... |
| V-205768 | | Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group. | Inappropriate granting of user rights can provide system, administrative, and other high-level capabilities.
Accounts with the "Take ownership of fil... |
| V-205769 | | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205770 | | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205771 | | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205772 | | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205773 | | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205774 | | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205775 | | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205776 | | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205777 | | Windows Server 2019 must be configured to audit System - IPsec Driver successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205778 | | Windows Server 2019 must be configured to audit System - IPsec Driver failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205779 | | Windows Server 2019 must be configured to audit System - Other System Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205780 | | Windows Server 2019 must be configured to audit System - Other System Events failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205781 | | Windows Server 2019 must be configured to audit System - Security State Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205782 | | Windows Server 2019 must be configured to audit System - Security System Extension successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205783 | | Windows Server 2019 must be configured to audit System - System Integrity successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205784 | | Windows Server 2019 must be configured to audit System - System Integrity failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205785 | | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-205786 | | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-205787 | | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-205788 | | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-205789 | | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-205790 | | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-205791 | | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205792 | | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205793 | | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205795 | | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the period of time that an ac... |
| V-205796 | | Windows Server 2019 Application event log size must be configured to 32768 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-205797 | | Windows Server 2019 Security event log size must be configured to 196608 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-205798 | | Windows Server 2019 System event log size must be configured to 32768 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-205799 | | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | Protection of log data includes assuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to a... |
| V-205801 | | Windows Server 2019 must prevent users from changing installation options. | Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that ... |
| V-205803 | | Windows Server 2019 system files must be monitored for unauthorized changes. | Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.... |
| V-205807 | | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decre... |
| V-205808 | | Windows Server 2019 must not save passwords in the Remote Desktop Client. | Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system mus... |
| V-205809 | | Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection. | This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would ... |
| V-205810 | | Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials. | Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for Windows Remote Management will... |
| V-205811 | | Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-205812 | | Windows Server 2019 User Account Control must automatically deny standard user requests for elevation. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-205813 | | Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-205814 | | Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems. | Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecti... |
| V-205815 | | Windows Server 2019 computer account password must not be prevented from being reset. | Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to m... |
| V-205816 | | Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic. | Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to pr... |
| V-205817 | | Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic. | Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to pr... |
| V-205818 | | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the... |
| V-205820 | | Windows Server 2019 domain controllers must require LDAP access signing. | Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifie... |
| V-205821 | | Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypte... |
| V-205822 | | Windows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypte... |
| V-205823 | | Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity ch... |
| V-205824 | | Windows Server 2019 must be configured to require a strong session key. | A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hija... |
| V-205825 | | Windows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-205826 | | Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet ... |
| V-205827 | | Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-205828 | | Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-205829 | | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, a... |
| V-205830 | | Windows Server 2019 Explorer Data Execution Prevention must be enabled. | Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will... |
| V-205832 | | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205833 | | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205834 | | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205835 | | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205836 | | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205837 | | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205838 | | Windows Server 2019 must be configured to audit logoff successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205839 | | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205840 | | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205841 | | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-205842 | | Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific ... |
| V-205843 | | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to a... |
| V-205846 | | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users... |
| V-205847 | | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them... |
| V-205848 | | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system ... |
| V-205851 | | Windows Server 2019 must have a host-based intrusion detection or prevention system. | A properly configured Host-based Intrusion Detection System (HIDS) or Host-based Intrusion Prevention System (HIPS) provides another level of defense ... |
| V-205852 | | Windows Server 2019 must have software certificate installation files removed. | Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based... |
| V-205853 | | Windows Server 2019 FTP servers must be configured to prevent anonymous logons. | The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult.
Using a... |
| V-205854 | | Windows Server 2019 FTP servers must be configured to prevent access to the system drive. | The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, es... |
| V-205855 | | Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights. | Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the a... |
| V-205861 | | Windows Server 2019 insecure logons to an SMB server must be disabled. | Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper acc... |
| V-205862 | | Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. | Additional security requirements are applied to UNC paths specified in hardened UNC paths before allowing access to them. This aids in preventing tamp... |
| V-205863 | | Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials. | An exportable version of credentials is provided to remote hosts when using credential delegation which exposes them to theft on the remote host. Res... |
| V-205864 | | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | Virtualization-based security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of... |
| V-205865 | | Windows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can ... |
| V-205866 | | Windows Server 2019 group policy objects must be reprocessed even if they have not changed. | Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or ... |
| V-205867 | | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery). | A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be require... |
| V-205868 | | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in). | A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be require... |
| V-205869 | | Windows Server 2019 Telemetry must be configured to Security or Basic. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability ... |
| V-205872 | | Windows Server 2019 File Explorer shell protocol must run in protected mode. | The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a... |
| V-205873 | | Windows Server 2019 must prevent attachments from being downloaded from RSS feeds. | Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.... |
| V-205874 | | Windows Server 2019 users must be notified if a web-based program attempts to install software. | Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install softw... |
| V-205876 | | Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords. | Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords... |
| V-205877 | | The password for the krbtgt account on a domain must be reset at least every 180 days. | The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a doma... |
| V-205906 | | Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers. | The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for syste... |
| V-205909 | | Windows Server 2019 built-in administrator account must be renamed. | The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of... |
| V-205910 | | Windows Server 2019 built-in guest account must be renamed. | The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allo... |
| V-205911 | | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less. | Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may hav... |
| V-205912 | | Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the s... |
| V-205915 | | Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group. | Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyon... |
| V-205916 | | Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. | Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymous... |
| V-205917 | | Windows Server 2019 must prevent NTLM from falling back to a Null session. | NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.... |
| V-205918 | | Windows Server 2019 must prevent PKU2U authentication using online identities. | PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication ... |
| V-205920 | | Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing. | This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the enviro... |
| V-205921 | | Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. | Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enable... |
| V-205922 | | Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. | Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enable... |
| V-205924 | | Windows Server 2019 must preserve zone information when saving attachments. | Attachments from outside sources may contain malicious code. Preserving zone of origin (Internet, intranet, local, restricted) information on file att... |
| V-205925 | | Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart. | Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is ... |
| V-214936 | | Windows Server 2019 must have a host-based firewall installed and enabled. | A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.... |
| V-257503 | | Windows Server 2019 must have PowerShell Transcription enabled. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-271428 | | Windows Server 2019 must be configured for certificate-based authentication for domain controllers. | Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-l... |
| V-271429 | | Windows Server 2019 must be configured for named-based strong mappings for certificates. | Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user acc... |
| V-205632 | | Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Sa... |
| V-205664 | | Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares. | Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration... |
| V-205691 | | Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-205726 | | Windows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity. | The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established ses... |
| V-205800 | | The Windows Server 2019 time service must synchronize with an appropriate DOD time source. | The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Wi... |
| V-205819 | | Windows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers. | Configuring the system to ignore name release requests, except from WINS servers, prevents a denial of service (DoS) attack. The DoS consists of sendi... |
| V-205856 | | Windows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional securi... |
| V-205857 | | Windows Server 2019 must have Secure Boot enabled. | Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security feature... |
| V-205858 | | Windows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. | Configuring the system to disable IPv6 source routing protects against spoofing.... |
| V-205859 | | Windows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. | Configuring the system to disable IP source routing protects against spoofing.... |
| V-205860 | | Windows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path fir... |
| V-205870 | | Windows Server 2019 Windows Update must not obtain updates from other PCs on the Internet. | Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs... |
| V-205871 | | Windows Server 2019 Turning off File Explorer heap termination on corruption must be disabled. | Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.... |
| V-205923 | | Windows Server 2019 default permissions of global system objects must be strengthened. | Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created wi... |
