| V-277982 | | Windows Server 2025 must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). | Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered se... |
| V-277983 | | Windows Server 2025 must prohibit the use or connection of unauthorized hardware components. | Hardware components provide the foundation for organizational systems and the platform for the execution of authorized software programs. Managing the... |
| V-277985 | | Windows Server 2025 users with administrative privileges must have separate accounts for administrative duties and normal operational tasks. | Using a privileged account to perform routine functions makes the computer vulnerable to malicious software inadvertently introduced during a session ... |
| V-277986 | | Windows Server 2025 passwords for the built-in Administrator account must be changed at least every 60 days. | The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password. The built-in Administrator ac... |
| V-277988 | | Windows Server 2025 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users... |
| V-277989 | | Windows Server 2025 manually managed application account passwords must be at least 15 characters in length. | Application/service account passwords must be of sufficient length to prevent being easily cracked. Application/service accounts that are manually man... |
| V-277990 | | Windows Server 2025 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Setting application account passwords to expire may cause applications to stop functioning. However, not changing them on a regular basis exposes them... |
| V-277991 | | Windows Server 2025 shared user accounts must not be permitted. | Shared accounts (accounts where two or more people log on with the same user identification) do not provide adequate identification and authentication... |
| V-277992 | | Windows Server 2025 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Using an allowlist provides a configuration management method to allow the execution of only authorized software. Using only authorized software decre... |
| V-277993 | | Windows Server 2025 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. A number of system ... |
| V-277995 | | Windows Server 2025 must use an antivirus program. | Malicious software can establish a base on individual desktops and servers. Employing an automated mechanism to detect this type of software will aid ... |
| V-277996 | | Windows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) installed. | A properly configured host-based intrusion detection system (HIDS) or host-based intrusion prevention system (HIPS) provides another level of defense ... |
| V-277998 | | Windows Server 2025 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-277999 | | Windows Server 2025 permissions for program file directories must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-278000 | | Windows Server 2025 permissions for the Windows installation directory must conform to minimum requirements. | Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and ins... |
| V-278001 | | Windows Server 2025 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibi... |
| V-278003 | | Outdated or unused accounts on Windows Server 2025 must be removed or disabled. | Outdated or unused accounts provide penetration points that may go undetected. Inactive accounts must be deleted if no longer necessary or, if still r... |
| V-278004 | | Windows Server 2025 accounts must require passwords. | The lack of password protection enables anyone to gain access to the information system, which opens a backdoor opportunity for intruders to compromis... |
| V-278005 | | Windows Server 2025 passwords must be configured to expire. | Passwords that do not expire or are reused increase the exposure of a password with greater probability of being discovered or cracked.... |
| V-278006 | | Windows Server 2025 system files must be monitored for unauthorized changes. | Monitoring system files for changes against a baseline on a regular basis may help detect the possible introduction of malicious code on a system.... |
| V-278007 | | Windows Server 2025 nonsystem-created file shares must limit access to groups that require it. | Shares on a system provide network access. To prevent exposing sensitive information, where shares are necessary, permissions must be reconfigured to ... |
| V-278008 | | Windows Server 2025 must have software certificate installation files removed. | Use of software certificates and their accompanying installation files for end users to access resources is less secure than the use of hardware-based... |
| V-278009 | | Windows Server 2025 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | This requirement addresses protection of user-generated data as well as operating system-specific configuration data. Organizations may choose to empl... |
| V-278010 | | Windows Server 2025 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for example, during aggregation, a... |
| V-278011 | | Windows Server 2025 must have the roles and features required by the system documented. | Unnecessary roles and features increase the attack surface of a system. Limiting roles and features of a system to only those necessary reduces this p... |
| V-278012 | | Windows Server 2025 must have a host-based firewall installed and enabled. | A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules.
Satisfies: SRG-O... |
| V-278013 | | Windows Server 2025 must automatically remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-278014 | | Windows Server 2025 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Emergency administrator accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is r... |
| V-278015 | | Windows Server 2025 must not have the Fax Server role installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-278016 | | Windows Server 2025 must not have the Microsoft FTP service installed unless required by the organization. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption.... |
| V-278017 | | Windows Server 2025 must not have Wi-Fi enabled unless required by the organization. | Unnecessary connections could increase the attack surface of a system. Some of these services may not support required levels of authentication or enc... |
| V-278018 | | Windows Server 2025 must not have Bluetooth enabled unless required by the organization. | Unnecessary applications and/or services such as Bluetooth could allow an attacker to connect with intentions to take over or disrupt the system.... |
| V-278019 | | Windows Server 2025 must not have the Peer Name Resolution Protocol installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-278020 | | Windows Server 2025 must not have Simple TCP/IP Services installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-278021 | | Windows Server 2025 must not have the Telnet Client installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-278022 | | Windows Server 2025 must not have the TFTP Client installed. | Unnecessary services increase the attack surface of a system. Some of these services may not support required levels of authentication or encryption o... |
| V-278023 | | Windows Server 2025 must not have the Server Message Block (SMB) v1 protocol installed. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-278024 | | Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-278025 | | Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. | SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and prei... |
| V-278026 | | Windows Server 2025 must not have Windows PowerShell 2.0 installed. | Windows PowerShell 5.x added advanced logging features that can provide additional detail when malware has been run on a system. Disabling the Windows... |
| V-278027 | | Windows Server 2025 FTP servers must be configured to prevent anonymous logons. | The FTP service allows remote users to access shared files and directories. Allowing anonymous FTP connections makes user auditing difficult.
Using a... |
| V-278028 | | Windows Server 2025 FTP servers must be configured to prevent access to the system drive. | The FTP service allows remote users to access shared files and directories that could provide access to system resources and compromise the system, es... |
| V-278030 | | Windows Server 2025 must have orphaned security identifiers (SIDs) removed from user rights. | Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the ac... |
| V-278031 | | Windows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | UEFI provides additional security features in comparison to legacy BIOS firmware, including Secure Boot. UEFI is required to support additional securi... |
| V-278032 | | Windows Server 2025 must have Secure Boot enabled. | Secure Boot is a standard that ensures systems boot only to a trusted operating system. Secure Boot is required to support additional security feature... |
| V-278033 | | Windows Server 2025 account lockout duration must be configured to 15 minutes or greater. | When enabled, the account lockout feature prevents brute-force password attacks on the system. This parameter specifies the period of time that an acc... |
| V-278034 | | Windows Server 2025 must have the number of allowed bad logon attempts configured to three or less. | The account lockout feature, when enabled, prevents brute-force password attacks on the system. The higher this value is, the less effective the accou... |
| V-278035 | | Windows Server 2025 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | When enabled, the account lockout feature prevents brute-force password attacks on the system. This parameter specifies the period of time that must p... |
| V-278036 | | Windows Server 2025 password history must be configured to 24 passwords remembered. | A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change to a uni... |
| V-278037 | | Windows Server 2025 maximum password age must be configured to 60 days or less. | The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the passwords. Scheduled changing of passwo... |
| V-278038 | | Windows Server 2025 minimum password age must be configured to at least one day. | Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database. This en... |
| V-278039 | | Windows Server 2025 must have the built-in Windows password complexity policy enabled. | The use of complex passwords increases their strength against attack. The built-in Windows password complexity policy requires passwords to contain at... |
| V-278041 | | Windows Server 2025 audit records must be backed up to a different system or media than the system being audited. | Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to a... |
| V-278042 | | Windows Server 2025 must, at a minimum, off-load audit records of interconnected systems in real time and off-load stand-alone or nondomain-joined systems weekly. | Protection of log data includes ensuring the log data is not accidentally lost or deleted. Audit information stored in one location is vulnerable to a... |
| V-278043 | | Windows Server 2025 permissions for the Application event log must prevent access by nonprivileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278044 | | Windows Server 2025 permissions for the Security event log must prevent access by nonprivileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278045 | | Windows Server 2025 permissions for the System event log must prevent access by nonprivileged accounts. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278046 | | Windows Server 2025 Event Viewer must be protected from unauthorized modification and deletion. | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tool... |
| V-278047 | | Windows Server 2025 must be configured to audit Account Logon - Credential Validation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278048 | | Windows Server 2025 must be configured to audit Account Logon - Credential Validation failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278049 | | Windows Server 2025 must be configured to audit Account Management - Other Account Management Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278050 | | Windows Server 2025 must be configured to audit Account Management - Security Group Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278051 | | Windows Server 2025 must be configured to audit Account Management - User Account Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278052 | | Windows Server 2025 must be configured to audit Account Management - User Account Management failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278053 | | Windows Server 2025 must be configured to audit Detailed Tracking - Plug and Play Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278054 | | Windows Server 2025 must be configured to audit Detailed Tracking - Process Creation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278055 | | Windows Server 2025 must be configured to audit Logon/Logoff - Account Lockout successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278056 | | Windows Server 2025 must be configured to audit Logon/Logoff - Account Lockout failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278057 | | Windows Server 2025 must be configured to audit Logon/Logoff - Group Membership successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278058 | | Windows Server 2025 must be configured to audit logoff successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278059 | | Windows Server 2025 must be configured to audit logon successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278060 | | Windows Server 2025 must be configured to audit logon failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278061 | | Windows Server 2025 must be configured to audit Logon/Logoff - Special Logon successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278062 | | Windows Server 2025 must be configured to audit Object Access - Other Object Access Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278063 | | Windows Server 2025 must be configured to audit Object Access - Other Object Access Events failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278064 | | Windows Server 2025 must be configured to audit Object Access - Removable Storage successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278065 | | Windows Server 2025 must be configured to audit Object Access - Removable Storage failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278066 | | Windows Server 2025 must be configured to audit Policy Change - Audit Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278067 | | Windows Server 2025 must be configured to audit Policy Change - Audit Policy Change failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278068 | | Windows Server 2025 must be configured to audit Policy Change - Authentication Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278069 | | Windows Server 2025 must be configured to audit Policy Change - Authorization Policy Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278070 | | Windows Server 2025 must be configured to audit Privilege Use - Sensitive Privilege Use successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278071 | | Windows Server 2025 must be configured to audit Privilege Use - Sensitive Privilege Use failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278072 | | Windows Server 2025 must be configured to audit System - IPsec Driver successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278073 | | Windows Server 2025 must be configured to audit System - IPsec Driver failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278074 | | Windows Server 2025 must be configured to audit System - Other System Events successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278075 | | Windows Server 2025 must be configured to audit System - Other System Events failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278076 | | Windows Server 2025 must be configured to audit System - Security State Change successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278077 | | Windows Server 2025 must be configured to audit System - Security System Extension successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278078 | | Windows Server 2025 must be configured to audit System - System Integrity successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278079 | | Windows Server 2025 must be configured to audit System - System Integrity failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278080 | | Windows Server 2025 must prevent the display of slide shows on the lock screen. | Slide shows displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to ... |
| V-278086 | | Windows Server 2025 insecure logons to an SMB server must be disabled. | Insecure guest logons allow unauthenticated access to shared folders. Shared resources on a system must require authentication to establish proper acc... |
| V-278087 | | Windows Server 2025 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares. | Additional security requirements are applied to UNC paths specified in hardened UNC paths before allowing access to them. This aids in preventing tamp... |
| V-278088 | | Windows Server 2025 command line data must be included in process creation events. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278089 | | Windows Server 2025 must be configured to enable Remote host allows delegation of nonexportable credentials. | An exportable version of credentials is provided to remote hosts when using credential delegation, which exposes them to theft on the remote host. Res... |
| V-278090 | | Windows Server 2025 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of... |
| V-278091 | | Windows Server 2025 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | Compromised boot drivers can introduce malware prior to protection mechanisms that load after initialization. The Early Launch Antimalware driver can ... |
| V-278092 | | Windows Server 2025 group policy objects must be reprocessed even if they have not changed. | Registry entries for group policy settings can potentially be changed from the required configuration. This could occur as part of troubleshooting or ... |
| V-278093 | | Windows Server 2025 downloading print driver packages over HTTP must be turned off. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-278094 | | Windows Server 2025 printing over HTTP must be turned off. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-278095 | | Windows Server 2025 network selection user interface (UI) must not be displayed on the logon screen. | Enabling interaction with the network selection UI allows users to change connections to available networks without signing in to Windows.... |
| V-278096 | | Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (on battery). | A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be require... |
| V-278097 | | Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (plugged in). | A system that does not require authentication when resuming from sleep may provide access to unauthorized users. Authentication must always be require... |
| V-278102 | | Windows Server 2025 administrator accounts must not be enumerated during elevation. | Enumeration of administrator accounts when elevating can provide part of the logon information to an unauthorized user. This setting configures the sy... |
| V-278103 | | Windows Server 2025 Telemetry must be configured to limit diagnostic data sent to Microsoft. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Limiting this capability ... |
| V-278105 | | Windows Server 2025 Application event log size must be configured to 32768 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-278106 | | Windows Server 2025 Security event log size must be configured to 196608 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-278107 | | Windows Server 2025 System event log size must be configured to 32768 KB or greater. | Inadequate log size will cause the log to fill up quickly. This may prevent audit events from being recorded properly and require frequent attention b... |
| V-278108 | | Windows Server 2025 Microsoft Defender antivirus SmartScreen must be enabled. | Microsoft Defender antivirus SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling SmartScreen ... |
| V-278109 | | Windows Server 2025 Explorer Data Execution Prevention must be enabled. | Data Execution Prevention provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will... |
| V-278111 | | Windows Server 2025 File Explorer shell protocol must run in protected mode. | The shell protocol will limit the set of folders that applications can open when run in protected mode. Restricting files an application can open to a... |
| V-278112 | | Windows Server 2025 must not save passwords in the Remote Desktop Client. | Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. The system mus... |
| V-278113 | | Windows Server 2025 Remote Desktop Services must prevent drive redirection. | Preventing users from sharing the local drives on their client computers with Remote Session Hosts that they access helps reduce possible exposure of ... |
| V-278114 | | Windows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connection. | This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would ... |
| V-278115 | | Windows Server 2025 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications. | Allowing unsecure RPC communication exposes the system to man-in-the-middle attacks and data disclosure attacks. A man-in-the-middle attack occurs whe... |
| V-278116 | | Windows Server 2025 Remote Desktop Services must be configured with the client connection encryption set to High Level. | Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote... |
| V-278117 | | Windows Server 2025 must prevent attachments from being downloaded from RSS feeds. | Attachments from RSS feeds may not be secure. This setting will prevent attachments from being downloaded from RSS feeds.... |
| V-278118 | | Windows Server 2025 must disable Basic authentication for RSS feeds over HTTP. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-278119 | | Windows Server 2025 must prevent Indexing of encrypted files. | Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed.... |
| V-278120 | | Windows Server 2025 must prevent users from changing installation options. | Installation options for applications are typically controlled by administrators. This setting prevents users from changing installation options that ... |
| V-278122 | | Windows Server 2025 users must be notified if a web-based program attempts to install software. | Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install softw... |
| V-278123 | | Windows Server 2025 must disable automatically signing in the last interactive user after a system-initiated restart. | Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is ... |
| V-278124 | | Windows Server 2025 PowerShell script block logging must be enabled. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278126 | | Windows Server 2025 Windows Remote Management (WinRM) client must not allow unencrypted traffic. | Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to pr... |
| V-278127 | | Windows Server 2025 Windows Remote Management (WinRM) client must not use Digest authentication. | Digest authentication is not as strong as other options and may be subject to man-in-the-middle attacks. Disallowing Digest authentication will reduce... |
| V-278129 | | Windows Server 2025 Windows Remote Management (WinRM) service must not allow unencrypted traffic. | Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to pr... |
| V-278130 | | Windows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials. | Storage of administrative credentials could allow unauthorized access. Disallowing the storage of RunAs credentials for WinRM will prevent them from b... |
| V-278131 | | Windows Server 2025 must have PowerShell Transcription enabled. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278133 | | Windows Server 2025 Kerberos user logon restrictions must be enforced. | This policy setting determines whether the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights... |
| V-278134 | | Windows Server 2025 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | This setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. Session tick... |
| V-278135 | | Windows Server 2025 Kerberos user ticket lifetime must be limited to 10 hours or less. | In Kerberos, there are two types of tickets: Ticket Granting Tickets (TGTs) and Service Tickets. Kerberos tickets have a limited lifetime so the time ... |
| V-278136 | | Windows Server 2025 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. | This setting determines the period of time (in days) during which a user's Ticket Granting Ticket (TGT) may be renewed. This security configuration li... |
| V-278137 | | Windows Server 2025 computer clock synchronization tolerance must be limited to five minutes or less. | This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a se... |
| V-278143 | | Windows Server 2025 data files owned by users must be on a different logical partition from the directory server data files. | When directory service data files, especially for directories used for identification, authentication, or authorization, reside on the same logical pa... |
| V-278144 | | Windows Server 2025 domain controllers must run on a machine dedicated to that function. | Executing application servers on the same host machine with a directory server may substantially weaken the security of the directory server. Web or d... |
| V-278145 | | Windows Server 2025 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | Directory data that is not appropriately encrypted is subject to compromise. Commercial-grade encryption does not provide adequate protection when the... |
| V-278148 | | Windows Server 2025 Active Directory Group Policy Objects (GPOs) must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-278149 | | Windows Server 2025 Active Directory (AD) Domain object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-278150 | | Windows Server 2025 Active Directory (AD) Infrastructure object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-278151 | | Windows Server 2025 Active Directory (AD) Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-278152 | | Windows Server 2025 Active Directory (AD) AdminSDHolder object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-278153 | | Windows Server 2025 Active Directory (AD) RID Manager$ object must be configured with proper audit settings. | When inappropriate audit settings are configured for directory service database objects, it may be possible for a user or process to update the data w... |
| V-278154 | | Windows Server 2025 must be configured to audit Account Management - Computer Account Management successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278155 | | Windows Server 2025 must be configured to audit DS Access - Directory Service Access successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278156 | | Windows Server 2025 must be configured to audit DS Access - Directory Service Access failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278157 | | Windows Server 2025 must be configured to audit DS Access - Directory Service Changes successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278158 | | Windows Server 2025 must be configured to audit DS Access - Directory Service Changes failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278159 | | Windows Server 2025 domain controllers must have a PKI server certificate. | Domain controllers are part of the chain of trust for PKI authentications. Without the appropriate certificate, the authenticity of the domain control... |
| V-278162 | | Windows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | Smart cards such as the CAC support a two-factor authentication technique. This provides a higher level of trust in the asserted identity than use of ... |
| V-278163 | | Windows Server 2025 domain controllers must require LDAP access signing. | Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client and modifie... |
| V-278164 | | Windows Server 2025 domain controllers must be configured to allow reset of machine account passwords. | Enabling this setting on all domain controllers in a domain prevents domain members from changing their computer account passwords. If these passwords... |
| V-278165 | | The Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Access this computer from... |
| V-278166 | | The Windows Server 2025 "Add workstations to domain" user right must only be assigned to the Administrators group on domain controllers. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Add workstations to domai... |
| V-278167 | | The Windows Server 2025 "Allow log on through Remote Desktop Services" user right must only be assigned to the Administrators group on domain controllers. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Allow log on through Remo... |
| V-278168 | | The Windows Server 2025 "Deny access to this computer from the network" user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny access to this computer from the n... |
| V-278169 | | The Windows Server 2025 "Deny log on as a batch job" user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on as a batch job" user right ... |
| V-278170 | | The Windows Server 2025 "Deny log on as a service" user right must be configured to include no accounts or groups (blank) on domain controllers. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on as a service" user right de... |
| V-278171 | | The Windows Server 2025 "Deny log on locally" user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on locally" user right defines... |
| V-278172 | | Windows Server 2025 must be configured for certificate-based authentication for domain controllers. | Active Directory domain services elevation of privilege vulnerability could allow a user rights to the system, such as administrative and other high-l... |
| V-278173 | | Windows Server 2025 must be configured for name-based strong mappings for certificates. | Weak mappings give rise to security vulnerabilities and demand hardening measures. Certificate names must be correctly mapped to the intended user acc... |
| V-278174 | | The Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain controllers must be configured to prevent unauthenticated access. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on through Remote Desktop Serv... |
| V-278175 | | The Windows Server 2025 "Enable computer and user accounts to be trusted for delegation" user right must only be assigned to the Administrators group on domain controllers. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Enable computer and user accounts to be... |
| V-278176 | | The password for the krbtgt account on a domain must be reset at least every 180 days. | The krbtgt account acts as a service account for the Kerberos Key Distribution Center (KDC) service. The account and password are created when a domai... |
| V-278178 | | Windows Server 2025 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers. | A compromised local administrator account can provide means for an attacker to move laterally between domain systems.
With User Account Control enabl... |
| V-278179 | | Windows Server 2025 local users on domain-joined member servers must not be enumerated. | The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this informati... |
| V-278180 | | Windows Server 2025 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and stand-alone or nondomain-joined systems. | Unauthenticated RPC clients may allow anonymous access to sensitive information. Configuring RPC to restrict unauthenticated RPC clients from connecti... |
| V-278181 | | Windows Server 2025 must limit the caching of logon credentials to four or less on domain-joined member servers. | The default Windows configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for syste... |
| V-278182 | | Windows Server 2025 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and stand-alone or nondomain-joined systems. | The Windows SAM stores users' passwords. Restricting Remote Procedure Call (RPC) connections to the SAM to Administrators helps protect those credenti... |
| V-278183 | | Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and stand-alone or nondomain-joined systems. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Access this computer from... |
| V-278184 | | The Windows Server 2025 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny access to this computer from the n... |
| V-278185 | | Windows Server 2025 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on as a batch job" user right ... |
| V-278186 | | The Windows Server 2025 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on as a service" user right de... |
| V-278187 | | The Windows Server 2025 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on locally" user right defines... |
| V-278188 | | The Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Deny log on through Remote Desktop Serv... |
| V-278189 | | The Windows Server 2025 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and stand-alone or nondomain-joined systems. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Enable computer and user accounts to be... |
| V-278192 | | Windows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | To ensure secure DOD websites and DOD-signed code are properly validated, the system must trust the DOD Root CAs. The DOD root certificates will ensur... |
| V-278193 | | Windows Server 2025 must have the DOD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a r... |
| V-278194 | | Windows Server 2025 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | To ensure users do not experience denial of service when performing certificate-based authentication to DOD websites due to the system chaining to a r... |
| V-278195 | | Windows Server 2025 must have the built-in guest account disabled. | A system faces an increased vulnerability threat if the built-in guest account is not disabled. This is a known account that exists on all Windows sys... |
| V-278197 | | The Windows Server 2025 built-in administrator account must be renamed. | The built-in administrator account is a well-known account subject to attack. Renaming this account to an unidentified name improves the protection of... |
| V-278198 | | The Windows Server 2025 built-in guest account must be renamed. | The built-in guest account is a well-known user account on all Windows systems and, as initially installed, does not require a password. This can allo... |
| V-278199 | | Windows Server 2025 must force audit policy subcategory settings to override audit policy category settings. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises t... |
| V-278200 | | The Windows Server 2025 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypte... |
| V-278201 | | Windows Server 2025 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypte... |
| V-278202 | | The Windows Server 2025 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled. | Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity ch... |
| V-278203 | | Windows Server 2025 computer account password must not be prevented from being reset. | Computer account passwords are changed automatically on a regular basis. Disabling automatic password changes can make the system more vulnerable to m... |
| V-278204 | | Windows Server 2025 maximum age for machine account passwords must be configured to 30 days or less. | Computer account passwords are changed automatically on a regular basis. This setting controls the maximum password age that a machine account may hav... |
| V-278205 | | Windows Server 2025 must be configured to require a strong session key. | A computer connecting to a domain controller will establish a secure channel. The secure channel connection may be subject to compromise, such as hija... |
| V-278206 | | Windows Server 2025 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Unattended systems are susceptible to unauthorized use and must be locked when unattended. The screen saver must be set at a maximum of 15 minutes and... |
| V-278207 | | The Windows Server 2025 required legal notice must be configured to display before console logon. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Sa... |
| V-278209 | | The Windows Server 2025 Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Unattended systems are susceptible to unauthorized use and must be locked. Configuring a system to lock when a smart card is removed will ensure the s... |
| V-278210 | | The Windows Server 2025 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-278211 | | The Windows Server 2025 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. If this policy is enabled, the SMB client will request packet ... |
| V-278212 | | Windows Server 2025 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers. | Some non-Microsoft SMB servers only support unencrypted (plain-text) password authentication. Sending plain-text passwords across the network when aut... |
| V-278213 | | The Windows Server 2025 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-278214 | | The Windows Server 2025 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled. | The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-midd... |
| V-278218 | | Windows Server 2025 must be configured to prevent anonymous users from having the same permissions as the Everyone group. | Access by anonymous users must be restricted. If this setting is enabled, anonymous users have the same rights and permissions as the built-in Everyon... |
| V-278220 | | Windows Server 2025 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously. | Services using Local System that use Negotiate when reverting to NTLM authentication may gain unauthorized access if allowed to authenticate anonymous... |
| V-278221 | | Windows Server 2025 must prevent NTLM from falling back to a Null session. | NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may gain unauthorized access.... |
| V-278222 | | Windows Server 2025 must prevent PKU2U authentication using online identities. | PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication ... |
| V-278223 | | Windows Server 2025 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Certain encryption types are no longer considered secure. The DES and RC4 encryption suites must not be used for Kerberos encryption.
Note: Organizat... |
| V-278226 | | Windows Server 2025 must be configured to at least negotiate signing for LDAP client signing. | This setting controls the signing requirements for LDAP clients. This must be set to "Negotiate signing" or "Require signing", depending on the enviro... |
| V-278227 | | Windows Server 2025 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption. | Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enable... |
| V-278228 | | Windows Server 2025 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption. | Microsoft has implemented a variety of security support providers for use with Remote Procedure Call (RPC) sessions. All of the options must be enable... |
| V-278229 | | Windows Server 2025 users must be required to enter a password to access private keys stored on the computer. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-278230 | | Windows Server 2025 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | This setting ensures the system uses FIPS-compliant algorithms for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards... |
| V-278232 | | Windows Server 2025 User Account Control (UAC) approval mode for the built-in Administrator must be enabled. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures th... |
| V-278233 | | Windows Server 2025 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. | User Account Control (UAC) is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. Thi... |
| V-278234 | | Windows Server 2025 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures th... |
| V-278235 | | Windows Server 2025 User Account Control (UAC) must automatically deny standard user requests for elevation. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting controls the ... |
| V-278236 | | Windows Server 2025 User Account Control (UAC) must be configured to detect application installations and prompt for elevation. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting requires Wind... |
| V-278237 | | Windows Server 2025 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures Wi... |
| V-278238 | | Windows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting enables UAC.
... |
| V-278239 | | Windows Server 2025 User Account Control (UAC) must virtualize file and registry write failures to per-user locations. | UAC is a security mechanism for limiting the elevation of privileges, including administrative accounts, unless authorized. This setting configures no... |
| V-278240 | | Windows Server 2025 must preserve zone information when saving attachments. | Attachments from outside sources may contain malicious code. Preserving zone of origin (internet, intranet, local, restricted) information on file att... |
| V-278241 | | The Windows Server 2025 "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Access Credential Manager... |
| V-278243 | | The Windows Server 2025 "Allow log on locally" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Allow log on locally" use... |
| V-278244 | | The Windows Server 2025 "Back up files and directories" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Back up files and directo... |
| V-278245 | | The Windows Server 2025 "Create a pagefile" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Create a pagefile" user r... |
| V-278247 | | The Windows Server 2025 "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Create global objects" us... |
| V-278248 | | The Windows Server 2025 "Create permanent shared objects" user right must not be assigned to any groups or accounts. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Create permanent shared o... |
| V-278249 | | The Windows Server 2025 "Create symbolic links" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Create symbolic links" us... |
| V-278251 | | The Windows Server 2025 "Force shutdown from a remote system" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Force shutdown from a rem... |
| V-278252 | | The Windows Server 2025 "Generate security audits" user right must only be assigned to Local Service and Network Service. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Generate security audits" user right sp... |
| V-278253 | | The Windows Server 2025 "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Impersonate a client after authenticati... |
| V-278254 | | The Windows Server 2025 "Increase scheduling priority" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Increase scheduling prior... |
| V-278255 | | The Windows Server 2025 "Load and unload device drivers" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Load and unload device drivers" user ri... |
| V-278256 | | The Windows Server 2025 "Lock pages in memory" user right must not be assigned to any groups or accounts. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Lock pages in memory" user right allows... |
| V-278257 | | The Windows Server 2025 "Manage auditing and security log" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Manage auditing and secur... |
| V-278258 | | The Windows Server 2025 "Modify firmware environment values" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Modify firmware environme... |
| V-278259 | | The Windows Server 2025 "Perform volume maintenance tasks" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Perform volume maintenanc... |
| V-278260 | | The Windows Server 2025 "Profile single process" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Profile single process" u... |
| V-278261 | | The Windows Server 2025 "Restore files and directories" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Restore files and directo... |
| V-278262 | | The Windows Server 2025 "Take ownership of files or other objects" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Take ownership of files o... |
| V-279916 | | Windows Server 2025 must be configured to audit file system failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279917 | | Windows Server 2025 must be configured to audit file system successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279918 | | Windows Server 2025 must be configured to audit handle manipulation failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279919 | | Windows Server 2025 must be configured to audit handle manipulation successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279920 | | Windows Server 2025 must be configured to audit registry failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279921 | | Windows Server 2025 must be configured to audit registry successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279922 | | Windows Server 2025 must be configured to audit sensitive privilege use successes. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-279923 | | Windows Server 2025 must be configured to audit sensitive privilege use failures. | Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, analyze compromises that ... |
| V-278002 | | Windows Server 2025 nonadministrative accounts or groups must only have print permissions on printer shares. | Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration... |
| V-278029 | | The Windows Server 2025 time service must synchronize with an appropriate DOD time source. | The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Wi... |
| V-278082 | | Windows Server 2025 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing. | Configuring the system to disable IPv6 source routing protects against spoofing.... |
| V-278083 | | Windows Server 2025 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing. | Configuring the system to disable IP source routing protects against spoofing.... |
| V-278084 | | Windows Server 2025 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes. | Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via the shortest path fir... |
| V-278085 | | Windows Server 2025 must be configured to ignore NetBIOS name release requests except from WINS servers. | Configuring the system to ignore name release requests, except from WINS servers, prevents a denial-of-service (DoS) attack. The DoS consists of sendi... |
| V-278098 | | Windows Server 2025 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capabili... |
| V-278104 | | Windows Server 2025 Windows Update must not obtain updates from other PCs on the internet. | Windows Update can obtain updates from additional sources instead of Microsoft. In addition to Microsoft, updates can be obtained from and sent to PCs... |
| V-278110 | | Windows Server 2025 Turning off File Explorer heap termination on corruption must be disabled. | Legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Disabling this feature will prevent this.... |
| V-278147 | | Windows Server 2025 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity. | The failure to terminate inactive network connections increases the risk of a successful attack on the directory server. The longer an established ses... |
| V-278208 | | Windows Server 2025 title for legal banner dialog box must be configured with the appropriate text. | Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
Sa... |
| V-278231 | | Windows Server 2025 default permissions of global system objects must be strengthened. | Windows systems maintain a global list of shared system resources such as DOS device names, mutexes, and semaphores. Each type of object is created wi... |
| V-277987 | | Windows Server 2025 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. | Using applications that access the internet or have potential internet sources using administrative privileges exposes a system to compromise. If a fl... |
| V-277997 | | Windows Server 2025 local volumes must use a format that supports New Technology File System (NTFS) attributes. | The ability to set access permissions and auditing is critical to maintaining the security and proper access controls of a system. To support this, vo... |
| V-278040 | | Windows Server 2025 reversible password encryption must be disabled. | Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords, which are easily compromised. F... |
| V-278099 | | Windows Server 2025 AutoPlay must be turned off for nonvolume devices. | Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon as media is inserted into the driv... |
| V-278100 | | Windows Server 2025 default AutoRun behavior must be configured to prevent AutoRun commands. | Allowing AutoRun commands to execute may introduce malicious code to a system. Configuring this setting prevents AutoRun commands from executing.... |
| V-278101 | | Windows Server 2025 AutoPlay must be disabled for all drives. | Allowing AutoPlay to execute may introduce malicious code to a system. AutoPlay begins reading from a drive as soon media is inserted into the drive. ... |
| V-278121 | | Windows Server 2025 must disable the Windows Installer Always install with elevated privileges option. | Standard user accounts must not be granted elevated privileges. Enabling Windows Installer to elevate privileges when installing applications can allo... |
| V-278125 | | Windows Server 2025 Windows Remote Management (WinRM) client must not use Basic authentication. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-278128 | | Windows Server 2025 Windows Remote Management (WinRM) service must not use Basic authentication. | Basic authentication uses plain-text passwords that could be used to compromise a system. Disabling Basic authentication will reduce this potential.... |
| V-278132 | | Windows Server 2025 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify require... |
| V-278138 | | Windows Server 2025 permissions on the Active Directory data files must only allow system administrators (SAs) access. | Improper access permissions for directory data-related files could allow unauthorized users to read, modify, or delete directory data or audit trails.... |
| V-278139 | | Windows Server 2025 Active Directory SYSVOL directory must have the proper access control permissions. | Improper access permissions for directory data files could allow unauthorized users to read, modify, or delete directory data.
The SYSVOL directory c... |
| V-278140 | | Windows Server 2025 Active Directory (AD) Group Policy Objects (GPOs) must have proper access control permissions. | When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, up... |
| V-278141 | | Windows Server 2025 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | When Active Directory objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, update, or d... |
| V-278142 | | Windows Server 2025 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | When directory service database objects do not have appropriate access control permissions, it may be possible for malicious users to create, read, up... |
| V-278146 | | Windows Server 2025 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | To the extent that anonymous access to directory data (outside the root DSE) is permitted, read access control of the data is effectively disabled. If... |
| V-278160 | | Windows Server 2025 domain Controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA). | A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper pra... |
| V-278161 | | Windows Server 2025 PKI certificates associated with user accounts must be issued by a DOD PKI or an approved External Certificate Authority (ECA). | A PKI implementation depends on the practices established by the Certificate Authority (CA) to ensure the implementation is secure. Without proper pra... |
| V-278177 | | Windows Server 2025 must only allow administrators responsible for the member server or stand-alone or nondomain-joined system to have Administrator rights on the system. | An account that does not have Administrator duties must not have Administrator rights. Such rights would allow the account to bypass or modify require... |
| V-278190 | | Windows Server 2025 must be running Credential Guard on domain-joined member servers. | Credential Guard uses virtualization-based security to protect data that could be used in credential theft attacks if compromised. This authentication... |
| V-278196 | | Windows Server 2025 must prevent local accounts with blank passwords from being used from the network. | An account without a password can allow unauthorized access to a system as only the username would be required. Password policies must prevent account... |
| V-278215 | | Windows Server 2025 must not allow anonymous SID/Name translation. | Allowing anonymous SID/Name translation can provide sensitive information for accessing a system. Only authorized users must be able to perform such t... |
| V-278216 | | Windows Server 2025 must not allow anonymous enumeration of Security Account Manager (SAM) accounts. | Anonymous enumeration of SAM accounts allows anonymous logon users (null session connections) to list all accounts names, thus providing a list of pot... |
| V-278217 | | Windows Server 2025 must not allow anonymous enumeration of shares. | Allowing anonymous logon users (null session connections) to list all account names and enumerate all shared resources can provide a map of potential ... |
| V-278219 | | Windows Server 2025 must restrict anonymous access to Named Pipes and Shares. | Allowing anonymous access to named pipes or shares provides the potential for unauthorized system access. This setting restricts access to those defin... |
| V-278225 | | Windows Server 2025 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM. | The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts. NTLM, which is less secure, ... |
| V-278242 | | The Windows Server 2025 "Act as part of the operating system" user right must not be assigned to any groups or accounts. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Act as part of the operat... |
| V-278246 | | The Windows Server 2025 "Create a token object" user right must not be assigned to any groups or accounts. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
The "Create a token object" user right allow... |
| V-278250 | | The Windows Server 2025 "Debug programs" user right must only be assigned to the Administrators group. | Inappropriately granting user rights provides system, administrative, and other high-level capabilities.
Accounts with the "Debug programs" user righ... |
