STIGQter STIGQter: STIG Summary:

Windows 10 Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 04 May 2021

CheckedNameTitle
SV-220697r569187_ruleDomain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
SV-220698r569187_ruleWindows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
SV-220699r569187_ruleWindows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
SV-220700r569187_ruleSecure Boot must be enabled on Windows 10 systems.
SV-220701r569187_ruleWindows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-220702r569228_ruleWindows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
SV-220703r569288_ruleWindows 10 systems must use a BitLocker PIN for pre-boot authentication.
SV-220704r569290_ruleWindows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication.
SV-220705r569187_ruleThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-220706r646212_ruleWindows 10 systems must be maintained at a supported servicing level.
SV-220707r569187_ruleThe Windows 10 system must use an anti-virus program.
SV-220708r569187_ruleLocal volumes must be formatted using NTFS.
SV-220709r569187_ruleAlternate operating systems must not be permitted on the same system.
SV-220710r569187_ruleNon system-created file shares on a system must limit access to groups that require it.
SV-220711r569187_ruleUnused accounts must be disabled or removed from the system after 35 days of inactivity.
SV-220712r569187_ruleOnly accounts responsible for the administration of a system must have Administrator rights on the system.
SV-220713r569187_ruleOnly accounts responsible for the backup operations must be members of the Backup Operators group.
SV-220714r569187_ruleOnly authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
SV-220715r569187_ruleStandard local user accounts must not exist on a system in a domain.
SV-220716r569187_ruleAccounts must be configured to require password expiration.
SV-220717r569187_rulePermissions for system files and directories must conform to minimum requirements.
SV-220718r569187_ruleInternet Information System (IIS) or its subcomponents must not be installed on a workstation.
SV-220719r569187_ruleSimple Network Management Protocol (SNMP) must not be installed on the system.
SV-220720r569187_ruleSimple TCP/IP Services must not be installed on the system.
SV-220721r569187_ruleThe Telnet Client must not be installed on the system.
SV-220722r569187_ruleThe TFTP Client must not be installed on the system.
SV-220723r569187_ruleSoftware certificate installation files must be removed from Windows 10.
SV-220724r569187_ruleA host-based firewall must be installed and enabled on the system.
SV-220725r569187_ruleInbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.
SV-220726r569187_ruleData Execution Prevention (DEP) must be configured to at least OptOut.
SV-220727r569187_ruleStructured Exception Handling Overwrite Protection (SEHOP) must be enabled.
SV-220728r569187_ruleThe Windows PowerShell 2.0 feature must be disabled on the system.
SV-220729r569187_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the system.
SV-220730r569187_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-220731r569187_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-220732r569187_ruleThe Secondary Logon service must be disabled on Windows 10.
SV-220733r569187_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 10.
SV-220734r569187_ruleBluetooth must be turned off unless approved by the organization.
SV-220735r569187_ruleBluetooth must be turned off when not in use.
SV-220736r569187_ruleThe system must notify the user when a Bluetooth device attempts to connect.
SV-220737r569187_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-220738r569187_ruleWindows 10 non-persistent VM sessions should not exceed 24 hours.
SV-220739r569187_ruleWindows 10 account lockout duration must be configured to 15 minutes or greater.
SV-220740r569187_ruleThe number of allowed bad logon attempts must be configured to 3 or less.
SV-220741r569187_ruleThe period of time before the bad logon counter is reset must be configured to 15 minutes.
SV-220742r569187_ruleThe password history must be configured to 24 passwords remembered.
SV-220743r569187_ruleThe maximum password age must be configured to 60 days or less.
SV-220744r569187_ruleThe minimum password age must be configured to at least 1 day.
SV-220745r569187_rulePasswords must, at a minimum, be 14 characters.
SV-220746r569187_ruleThe built-in Microsoft password complexity filter must be enabled.
SV-220747r569187_ruleReversible password encryption must be disabled.
SV-220748r569187_ruleThe system must be configured to audit Account Logon - Credential Validation failures.
SV-220749r569187_ruleThe system must be configured to audit Account Logon - Credential Validation successes.
SV-220750r569187_ruleThe system must be configured to audit Account Management - Security Group Management successes.
SV-220751r569187_ruleThe system must be configured to audit Account Management - User Account Management failures.
SV-220752r569187_ruleThe system must be configured to audit Account Management - User Account Management successes.
SV-220753r569187_ruleThe system must be configured to audit Detailed Tracking - PNP Activity successes.
SV-220754r569187_ruleThe system must be configured to audit Detailed Tracking - Process Creation successes.
SV-220755r569187_ruleThe system must be configured to audit Logon/Logoff - Account Lockout failures.
SV-220756r569187_ruleThe system must be configured to audit Logon/Logoff - Group Membership successes.
SV-220757r569187_ruleThe system must be configured to audit Logon/Logoff - Logoff successes.
SV-220758r569187_ruleThe system must be configured to audit Logon/Logoff - Logon failures.
SV-220759r569187_ruleThe system must be configured to audit Logon/Logoff - Logon successes.
SV-220760r569187_ruleThe system must be configured to audit Logon/Logoff - Special Logon successes.
SV-220761r569187_ruleWindows 10 must be configured to audit Object Access - File Share failures.
SV-220762r569187_ruleWindows 10 must be configured to audit Object Access - File Share successes.
SV-220763r569187_ruleWindows 10 must be configured to audit Object Access - Other Object Access Events successes.
SV-220764r569187_ruleWindows 10 must be configured to audit Object Access - Other Object Access Events failures.
SV-220765r569187_ruleThe system must be configured to audit Object Access - Removable Storage failures.
SV-220766r569187_ruleThe system must be configured to audit Object Access - Removable Storage successes.
SV-220767r569187_ruleThe system must be configured to audit Policy Change - Audit Policy Change successes.
SV-220768r569187_ruleThe system must be configured to audit Policy Change - Authentication Policy Change successes.
SV-220769r569187_ruleThe system must be configured to audit Policy Change - Authorization Policy Change successes.
SV-220770r569187_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-220771r569187_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-220772r569187_ruleThe system must be configured to audit System - IPSec Driver failures.
SV-220773r569187_ruleThe system must be configured to audit System - Other System Events successes.
SV-220774r569187_ruleThe system must be configured to audit System - Other System Events failures.
SV-220775r569187_ruleThe system must be configured to audit System - Security State Change successes.
SV-220776r569187_ruleThe system must be configured to audit System - Security System Extension successes.
SV-220777r569187_ruleThe system must be configured to audit System - System Integrity failures.
SV-220778r569187_ruleThe system must be configured to audit System - System Integrity successes.
SV-220779r569187_ruleThe Application event log size must be configured to 32768 KB or greater.
SV-220780r569187_ruleThe Security event log size must be configured to 1024000 KB or greater.
SV-220781r569187_ruleThe System event log size must be configured to 32768 KB or greater.
SV-220782r569187_ruleWindows 10 permissions for the Application event log must prevent access by non-privileged accounts.
SV-220783r569187_ruleWindows 10 permissions for the Security event log must prevent access by non-privileged accounts.
SV-220784r569187_ruleWindows 10 permissions for the System event log must prevent access by non-privileged accounts.
SV-220785r569187_ruleWindows 10 must be configured to audit Other Policy Change Events Successes.
SV-220786r569187_ruleWindows 10 must be configured to audit Other Policy Change Events Failures.
SV-220787r569187_ruleWindows 10 must be configured to audit other Logon/Logoff Events Successes.
SV-220788r569187_ruleWindows 10 must be configured to audit other Logon/Logoff Events Failures.
SV-220789r569187_ruleWindows 10 must be configured to audit Detailed File Share Failures.
SV-220790r569187_ruleWindows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
SV-220791r569187_ruleWindows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.
SV-220792r569187_ruleCamera access from the lock screen must be disabled.
SV-220793r569187_ruleWindows 10 must cover or disable the built-in or attached camera when not in use.
SV-220794r569187_ruleThe display of slide shows on the lock screen must be disabled.
SV-220795r569187_ruleIPv6 source routing must be configured to highest protection.
SV-220796r569187_ruleThe system must be configured to prevent IP source routing.
SV-220797r569187_ruleThe system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
SV-220798r569187_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-220799r569187_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-220800r569187_ruleWDigest Authentication must be disabled.
SV-220801r569187_ruleRun as different user must be removed from context menus.
SV-220802r569187_ruleInsecure logons to an SMB server must be disabled.
SV-220803r569187_ruleInternet connection sharing must be disabled.
SV-220804r569187_ruleHardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
SV-220805r569187_ruleWindows 10 must be configured to prioritize ECC Curves with longer key lengths first.
SV-220806r569187_ruleSimultaneous connections to the Internet or a Windows domain must be limited.
SV-220807r569187_ruleConnections to non-domain networks when connected to a domain authenticated network must be blocked.
SV-220808r569187_ruleWi-Fi Sense must be disabled.
SV-220809r569187_ruleCommand line data must be included in process creation events.
SV-220810r569187_ruleWindows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
SV-220811r569187_ruleVirtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
SV-220812r569187_ruleCredential Guard must be running on Windows 10 domain-joined systems.
SV-220813r569187_ruleEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
SV-220814r569187_ruleGroup Policy objects must be reprocessed even if they have not changed.
SV-220815r569187_ruleDownloading print driver packages over HTTP must be prevented.
SV-220816r569187_ruleWeb publishing and online ordering wizards must be prevented from downloading a list of providers.
SV-220817r569187_rulePrinting over HTTP must be prevented.
SV-220818r569187_ruleSystems must at least attempt device authentication using certificates.
SV-220819r569187_ruleThe network selection user interface (UI) must not be displayed on the logon screen.
SV-220820r569187_ruleLocal users on domain-joined computers must not be enumerated.
SV-220821r569187_ruleUsers must be prompted for a password on resume from sleep (on battery).
SV-220822r569187_ruleThe user must be prompted for a password on resume from sleep (plugged in).
SV-220823r569187_ruleSolicited Remote Assistance must not be allowed.
SV-220824r569187_ruleUnauthenticated RPC clients must be restricted from connecting to the RPC server.
SV-220825r569187_ruleThe setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
SV-220826r569187_ruleThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-220827r569187_ruleAutoplay must be turned off for non-volume devices.
SV-220828r569187_ruleThe default autorun behavior must be configured to prevent autorun commands.
SV-220829r569187_ruleAutoplay must be disabled for all drives.
SV-220830r569187_ruleEnhanced anti-spoofing for facial recognition must be enabled on Window 10.
SV-220831r569187_ruleMicrosoft consumer experiences must be turned off.
SV-220832r569187_ruleAdministrator accounts must not be enumerated during elevation.
SV-220833r569187_ruleIf Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
SV-220834r569187_ruleWindows Telemetry must not be configured to Full.
SV-220835r569187_ruleWindows Update must not obtain updates from other PCs on the Internet.
SV-220836r569187_ruleThe Windows Defender SmartScreen for Explorer must be enabled.
SV-220837r569187_ruleExplorer Data Execution Prevention must be enabled.
SV-220838r569187_ruleTurning off File Explorer heap termination on corruption must be disabled.
SV-220839r569187_ruleFile Explorer shell protocol must run in protected mode.
SV-220840r569187_ruleUsers must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
SV-220841r569187_ruleUsers must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
SV-220842r569187_ruleWindows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
SV-220843r569187_ruleThe password manager function in the Edge browser must be disabled.
SV-220844r569187_ruleThe Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
SV-220845r569187_ruleWindows 10 must be configured to disable Windows Game Recording and Broadcasting.
SV-220846r569187_ruleThe use of a hardware security device with Windows Hello for Business must be enabled.
SV-220847r569187_ruleWindows 10 must be configured to require a minimum pin length of six characters or greater.
SV-220848r569187_rulePasswords must not be saved in the Remote Desktop Client.
SV-220849r569187_ruleLocal drives must be prevented from sharing with Remote Desktop Session Hosts.
SV-220850r569187_ruleRemote Desktop Services must always prompt a client for passwords upon connection.
SV-220851r569187_ruleThe Remote Desktop Session Host must require secure RPC communications.
SV-220852r569187_ruleRemote Desktop Services must be configured with the client connection encryption set to the required level.
SV-220853r569187_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-220854r569187_ruleBasic authentication for RSS feeds over HTTP must not be used.
SV-220855r569187_ruleIndexing of encrypted files must be turned off.
SV-220856r569187_ruleUsers must be prevented from changing installation options.
SV-220857r569187_ruleThe Windows Installer Always install with elevated privileges must be disabled.
SV-220858r569187_ruleUsers must be notified if a web-based program attempts to install software.
SV-220859r569187_ruleAutomatically signing in the last interactive user after a system-initiated restart must be disabled.
SV-220860r569187_rulePowerShell script block logging must be enabled on Windows 10.
SV-220861r569305_ruleThe Windows Explorer Preview pane must be disabled for Windows 10.
SV-220862r569187_ruleThe Windows Remote Management (WinRM) client must not use Basic authentication.
SV-220863r569187_ruleThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-220865r654974_ruleThe Windows Remote Management (WinRM) service must not use Basic authentication.
SV-220866r569187_ruleThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-220867r569187_ruleThe Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-220868r569187_ruleThe Windows Remote Management (WinRM) client must not use Digest authentication.
SV-220869r569187_ruleWindows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked.
SV-220870r569187_ruleThe convenience PIN for Windows 10 must be disabled.
SV-220871r642141_ruleWindows Ink Workspace must be configured to disallow access above the lock.
SV-220872r569187_ruleWindows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.
SV-220873r569187_ruleWindows 10 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.
SV-220874r569187_ruleWindows 10 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.
SV-220875r569187_ruleWindows 10 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.
SV-220876r569187_ruleWindows 10 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.
SV-220877r569187_ruleWindows 10 Exploit Protection system-level mitigation, Validate heap integrity, must be on.
SV-220878r569187_ruleExploit Protection mitigations in Windows 10 must be configured for Acrobat.exe.
SV-220879r569187_ruleExploit Protection mitigations in Windows 10 must be configured for AcroRd32.exe.
SV-220880r569187_ruleExploit Protection mitigations in Windows 10 must be configured for chrome.exe.
SV-220881r569187_ruleExploit Protection mitigations in Windows 10 must be configured for EXCEL.EXE.
SV-220882r569187_ruleExploit Protection mitigations in Windows 10 must be configured for firefox.exe.
SV-220883r569187_ruleExploit Protection mitigations in Windows 10 must be configured for FLTLDR.EXE.
SV-220884r569187_ruleExploit Protection mitigations in Windows 10 must be configured for GROOVE.EXE.
SV-220885r569187_ruleExploit Protection mitigations in Windows 10 must be configured for iexplore.exe.
SV-220886r569187_ruleExploit Protection mitigations in Windows 10 must be configured for INFOPATH.EXE.
SV-220887r569187_ruleExploit Protection mitigations in Windows 10 must be configured for java.exe, javaw.exe, and javaws.exe.
SV-220888r569187_ruleExploit Protection mitigations in Windows 10 must be configured for lync.exe.
SV-220889r569187_ruleExploit Protection mitigations in Windows 10 must be configured for MSACCESS.EXE.
SV-220890r569187_ruleExploit Protection mitigations in Windows 10 must be configured for MSPUB.EXE.
SV-220891r569308_ruleExploit Protection mitigations in Windows 10 must be configured for OIS.EXE.
SV-220893r569187_ruleExploit Protection mitigations in Windows 10 must be configured for OUTLOOK.EXE.
SV-220894r569187_ruleExploit Protection mitigations in Windows 10 must be configured for plugin-container.exe.
SV-220895r569187_ruleExploit Protection mitigations in Windows 10 must be configured for POWERPNT.EXE.
SV-220896r569187_ruleExploit Protection mitigations in Windows 10 must be configured for PPTVIEW.EXE.
SV-220897r569187_ruleExploit Protection mitigations in Windows 10 must be configured for VISIO.EXE.
SV-220898r569187_ruleExploit Protection mitigations in Windows 10 must be configured for VPREVIEW.EXE.
SV-220899r569187_ruleExploit Protection mitigations in Windows 10 must be configured for WINWORD.EXE.
SV-220900r569187_ruleExploit Protection mitigations in Windows 10 must be configured for wmplayer.exe.
SV-220901r569187_ruleExploit Protection mitigations in Windows 10 must be configured for wordpad.exe.
SV-220902r569187_ruleWindows 10 Kernel (Direct Memory Access) DMA Protection must be enabled.
SV-220903r569310_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-220904r569312_ruleThe External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
SV-220905r569314_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-220906r569316_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-220907r569187_ruleDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
SV-220908r569187_ruleThe built-in administrator account must be disabled.
SV-220909r569187_ruleThe built-in guest account must be disabled.
SV-220910r569187_ruleLocal accounts with blank passwords must be restricted to prevent access from the network.
SV-220911r569187_ruleThe built-in administrator account must be renamed.
SV-220912r569187_ruleThe built-in guest account must be renamed.
SV-220913r569187_ruleAudit policy using subcategories must be enabled.
SV-220914r569187_ruleOutgoing secure channel traffic must be encrypted or signed.
SV-220915r569187_ruleOutgoing secure channel traffic must be encrypted when possible.
SV-220916r569187_ruleOutgoing secure channel traffic must be signed when possible.
SV-220917r569187_ruleThe computer account password must not be prevented from being reset.
SV-220918r569187_ruleThe maximum age for machine account passwords must be configured to 30 days or less.
SV-220919r569187_ruleThe system must be configured to require a strong session key.
SV-220920r569187_ruleThe machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
SV-220921r569187_ruleThe required legal notice must be configured to display before console logon.
SV-220922r569187_ruleThe Windows dialog box title for the legal banner must be configured.
SV-220923r569187_ruleCaching of logon credentials must be limited.
SV-220924r569187_ruleThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-220925r569187_ruleThe Windows SMB client must be configured to always perform SMB packet signing.
SV-220926r569187_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-220927r569187_ruleThe Windows SMB server must be configured to always perform SMB packet signing.
SV-220928r569187_ruleAnonymous SID/Name translation must not be allowed.
SV-220929r569187_ruleAnonymous enumeration of SAM accounts must not be allowed.
SV-220930r569187_ruleAnonymous enumeration of shares must be restricted.
SV-220931r569187_ruleThe system must be configured to prevent anonymous users from having the same rights as the Everyone group.
SV-220932r569187_ruleAnonymous access to Named Pipes and Shares must be restricted.
SV-220933r569187_ruleRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.
SV-220934r569187_ruleNTLM must be prevented from falling back to a Null session.
SV-220935r569187_rulePKU2U authentication using online identities must be prevented.
SV-220936r569187_ruleKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-220937r569187_ruleThe system must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-220938r569187_ruleThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
SV-220939r569187_ruleThe system must be configured to the required LDAP client signing level.
SV-220940r569187_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
SV-220941r569187_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
SV-220942r569187_ruleThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-220943r569187_ruleThe default permissions of global system objects must be increased.
SV-220944r569187_ruleUser Account Control approval mode for the built-in Administrator must be enabled.
SV-220945r569187_ruleUser Account Control must, at minimum, prompt administrators for consent on the secure desktop.
SV-220946r569187_ruleWindows 10 must use multifactor authentication for local and network access to privileged and non-privileged accounts.
SV-220947r569187_ruleUser Account Control must automatically deny elevation requests for standard users.
SV-220948r569187_ruleUser Account Control must be configured to detect application installations and prompt for elevation.
SV-220949r569187_ruleUser Account Control must only elevate UIAccess applications that are installed in secure locations.
SV-220950r569187_ruleUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-220951r569187_ruleUser Account Control must virtualize file and registry write failures to per-user locations.
SV-220952r569187_rulePasswords for enabled local Administrator accounts must be changed at least every 60 days.
SV-220954r569187_ruleToast notifications to the lock screen must be turned off.
SV-220955r569187_ruleZone information must be preserved when saving attachments.
SV-220956r569187_ruleThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-220957r569187_ruleThe Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
SV-220958r569187_ruleThe Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-220959r569187_ruleThe Allow log on locally user right must only be assigned to the Administrators and Users groups.
SV-220960r569187_ruleThe Back up files and directories user right must only be assigned to the Administrators group.
SV-220961r569187_ruleThe Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
SV-220962r569187_ruleThe Create a pagefile user right must only be assigned to the Administrators group.
SV-220963r569187_ruleThe Create a token object user right must not be assigned to any groups or accounts.
SV-220964r569187_ruleThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-220965r569187_ruleThe Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-220966r569187_ruleThe Create symbolic links user right must only be assigned to the Administrators group.
SV-220967r569187_ruleThe Debug programs user right must only be assigned to the Administrators group.
SV-220968r569187_ruleThe Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
SV-220969r569187_ruleThe Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
SV-220970r569187_ruleThe Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
SV-220971r569187_ruleThe Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
SV-220972r569187_ruleThe Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
SV-220973r569187_ruleThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
SV-220974r569187_ruleThe Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-220975r569187_ruleThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-220976r569187_ruleThe Load and unload device drivers user right must only be assigned to the Administrators group.
SV-220977r569187_ruleThe Lock pages in memory user right must not be assigned to any groups or accounts.
SV-220978r569187_ruleThe Manage auditing and security log user right must only be assigned to the Administrators group.
SV-220979r569187_ruleThe Modify firmware environment values user right must only be assigned to the Administrators group.
SV-220980r569187_ruleThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-220981r569187_ruleThe Profile single process user right must only be assigned to the Administrators group.
SV-220982r569187_ruleThe Restore files and directories user right must only be assigned to the Administrators group.
SV-220983r569187_ruleThe Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-230220r569300_rulePowerShell Transcription must be enabled on Windows 10.