| Checked | Name | Title |
|---|
| ☐ | SV-226029r569184_rule | Server systems must be located in a controlled access area, accessible only to authorized personnel. |
| ☐ | SV-226030r569184_rule | Users with administrative privilege must be documented. |
| ☐ | SV-226031r569184_rule | Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. |
| ☐ | SV-226032r569184_rule | Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control. |
| ☐ | SV-226033r569184_rule | Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization. |
| ☐ | SV-226034r569184_rule | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. |
| ☐ | SV-226035r569184_rule | Members of the Backup Operators group must be documented. |
| ☐ | SV-226036r569184_rule | Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. |
| ☐ | SV-226037r569184_rule | Policy must require application account passwords be at least 15 characters in length. |
| ☐ | SV-226038r569184_rule | Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
| ☐ | SV-226039r569184_rule | Shared user accounts must not be permitted on the system. |
| ☐ | SV-226040r569184_rule | Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance. |
| ☐ | SV-226041r569184_rule | System-level information must be backed up in accordance with local recovery time and recovery point objectives. |
| ☐ | SV-226042r569184_rule | User-level information must be backed up in accordance with local recovery time and recovery point objectives. |
| ☐ | SV-226043r569184_rule | Backups of system-level information must be protected. |
| ☐ | SV-226044r569184_rule | System-related documentation must be backed up in accordance with local recovery time and recovery point objectives. |
| ☐ | SV-226045r569184_rule | The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
| ☐ | SV-226046r569184_rule | Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. |
| ☐ | SV-226047r569184_rule | Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. |
| ☐ | SV-226048r569184_rule | The Windows 2012 / 2012 R2 system must use an anti-virus program. |
| ☐ | SV-226049r569184_rule | The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2. |
| ☐ | SV-226050r569184_rule | The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. |
| ☐ | SV-226051r569184_rule | The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. |
| ☐ | SV-226052r569184_rule | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2. |
| ☐ | SV-226053r569184_rule | Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2. |
| ☐ | SV-226054r569184_rule | PowerShell script block logging must be enabled on Windows 2012/2012 R2. |
| ☐ | SV-226055r569184_rule | Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2. |
| ☐ | SV-226056r569184_rule | Windows 2012 account lockout duration must be configured to 15 minutes or greater. |
| ☐ | SV-226057r569184_rule | The number of allowed bad logon attempts must meet minimum requirements. |
| ☐ | SV-226058r569184_rule | The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012. |
| ☐ | SV-226059r569184_rule | The password history must be configured to 24 passwords remembered. |
| ☐ | SV-226060r569184_rule | The maximum password age must meet requirements. |
| ☐ | SV-226061r569184_rule | The minimum password age must meet requirements. |
| ☐ | SV-226062r569184_rule | Passwords must, at a minimum, be 14 characters. |
| ☐ | SV-226063r569184_rule | The built-in Windows password complexity policy must be enabled. |
| ☐ | SV-226064r569184_rule | Reversible password encryption must be disabled. |
| ☐ | SV-226065r569184_rule | Kerberos user logon restrictions must be enforced. |
| ☐ | SV-226066r569184_rule | The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. |
| ☐ | SV-226067r569184_rule | The Kerberos user ticket lifetime must be limited to 10 hours or less. |
| ☐ | SV-226068r569184_rule | The Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less. |
| ☐ | SV-226069r569184_rule | The computer clock synchronization tolerance must be limited to 5 minutes or less. |
| ☐ | SV-226070r569184_rule | Active Directory data files must have proper access control permissions. |
| ☐ | SV-226071r569184_rule | The Active Directory SYSVOL directory must have the proper access control permissions. |
| ☐ | SV-226072r569184_rule | Active Directory Group Policy objects must have proper access control permissions. |
| ☐ | SV-226073r569184_rule | The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. |
| ☐ | SV-226074r569184_rule | Domain created Active Directory Organizational Unit (OU) objects must have proper access control permissions. |
| ☐ | SV-226075r569184_rule | Data files owned by users must be on a different logical partition from the directory server data files. |
| ☐ | SV-226076r569184_rule | Time synchronization must be enabled on the domain controller. |
| ☐ | SV-226077r569184_rule | The time synchronization tool must be configured to enable logging of time source switching. |
| ☐ | SV-226078r569184_rule | The directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function. |
| ☐ | SV-226079r569184_rule | Windows services that are critical for directory server operation must be configured for automatic startup. |
| ☐ | SV-226080r569184_rule | Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data |
| ☐ | SV-226081r569184_rule | Anonymous access to the root DSE of a non-public directory must be disabled. |
| ☐ | SV-226082r569184_rule | Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access. |
| ☐ | SV-226083r569184_rule | The directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity. |
| ☐ | SV-226084r569184_rule | The password for the krbtgt account on a domain must be reset at least every 180 days. |
| ☐ | SV-226085r569184_rule | The system must be configured to audit Account Logon - Credential Validation successes. |
| ☐ | SV-226086r569184_rule | The system must be configured to audit Account Logon - Credential Validation failures. |
| ☐ | SV-226087r569184_rule | Windows Server 2012/2012 R2 domain controllers must be configured to audit Account Management - Computer Account Management successes. |
| ☐ | SV-226088r569184_rule | The system must be configured to audit Account Management - Other Account Management Events successes. |
| ☐ | SV-226089r569184_rule | The system must be configured to audit Account Management - Security Group Management successes. |
| ☐ | SV-226090r569184_rule | The system must be configured to audit Account Management - User Account Management successes. |
| ☐ | SV-226091r569184_rule | The system must be configured to audit Account Management - User Account Management failures. |
| ☐ | SV-226092r569184_rule | The system must be configured to audit Detailed Tracking - Process Creation successes. |
| ☐ | SV-226093r569184_rule | Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes. |
| ☐ | SV-226094r569184_rule | Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures. |
| ☐ | SV-226095r569184_rule | The system must be configured to audit DS Access - Directory Service Access successes. |
| ☐ | SV-226096r569184_rule | The system must be configured to audit DS Access - Directory Service Access failures. |
| ☐ | SV-226097r569184_rule | The system must be configured to audit DS Access - Directory Service Changes successes. |
| ☐ | SV-226098r569184_rule | The system must be configured to audit DS Access - Directory Service Changes failures. |
| ☐ | SV-226099r569184_rule | The system must be configured to audit Logon/Logoff - Logoff successes. |
| ☐ | SV-226100r569184_rule | The system must be configured to audit Logon/Logoff - Logon successes. |
| ☐ | SV-226101r569184_rule | The system must be configured to audit Logon/Logoff - Logon failures. |
| ☐ | SV-226102r569184_rule | The system must be configured to audit Logon/Logoff - Special Logon successes. |
| ☐ | SV-226103r569184_rule | The system must be configured to audit Object Access - Central Access Policy Staging successes. |
| ☐ | SV-226104r569184_rule | The system must be configured to audit Object Access - Central Access Policy Staging failures. |
| ☐ | SV-226105r569184_rule | The system must be configured to audit Object Access - Removable Storage successes. |
| ☐ | SV-226106r569184_rule | The system must be configured to audit Object Access - Removable Storage failures. |
| ☐ | SV-226107r569184_rule | The system must be configured to audit Policy Change - Audit Policy Change successes. |
| ☐ | SV-226108r569184_rule | The system must be configured to audit Policy Change - Audit Policy Change failures. |
| ☐ | SV-226109r569184_rule | The system must be configured to audit Policy Change - Authentication Policy Change successes. |
| ☐ | SV-226110r569184_rule | The system must be configured to audit Policy Change - Authorization Policy Change successes. |
| ☐ | SV-226111r569184_rule | The system must be configured to audit Privilege Use - Sensitive Privilege Use successes. |
| ☐ | SV-226112r569184_rule | The system must be configured to audit Privilege Use - Sensitive Privilege Use failures. |
| ☐ | SV-226113r569184_rule | The system must be configured to audit System - IPsec Driver successes. |
| ☐ | SV-226114r569184_rule | The system must be configured to audit System - IPsec Driver failures. |
| ☐ | SV-226115r569184_rule | Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes. |
| ☐ | SV-226116r569184_rule | Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures. |
| ☐ | SV-226117r569184_rule | The system must be configured to audit System - Security State Change successes. |
| ☐ | SV-226118r569184_rule | The system must be configured to audit System - Security System Extension successes. |
| ☐ | SV-226119r569184_rule | The system must be configured to audit System - System Integrity successes. |
| ☐ | SV-226120r569184_rule | The system must be configured to audit System - System Integrity failures. |
| ☐ | SV-226121r569184_rule | Audit data must be reviewed on a regular basis. |
| ☐ | SV-226122r569184_rule | Audit data must be retained for at least one year. |
| ☐ | SV-226123r569184_rule | Audit records must be backed up onto a different system or media than the system being audited. |
| ☐ | SV-226124r569184_rule | The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. |
| ☐ | SV-226125r569184_rule | Permissions for the Application event log must prevent access by nonprivileged accounts. |
| ☐ | SV-226126r569184_rule | Permissions for the Security event log must prevent access by nonprivileged accounts. |
| ☐ | SV-226127r569184_rule | Permissions for the System event log must prevent access by nonprivileged accounts. |
| ☐ | SV-226128r569184_rule | Active Directory Group Policy objects must be configured with proper audit settings. |
| ☐ | SV-226129r569184_rule | The Active Directory Domain object must be configured with proper audit settings. |
| ☐ | SV-226130r569184_rule | The Active Directory Infrastructure object must be configured with proper audit settings. |
| ☐ | SV-226131r569184_rule | The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. |
| ☐ | SV-226132r569184_rule | The Active Directory AdminSDHolder object must be configured with proper audit settings. |
| ☐ | SV-226133r569184_rule | The Active Directory RID Manager$ object must be configured with proper audit settings. |
| ☐ | SV-226134r569184_rule | Event Viewer must be protected from unauthorized modification and deletion. |
| ☐ | SV-226135r569184_rule | The Mapper I/O network protocol (LLTDIO) driver must be disabled. |
| ☐ | SV-226136r569184_rule | The Responder network protocol driver must be disabled. |
| ☐ | SV-226137r569184_rule | Windows Peer-to-Peer networking services must be turned off. |
| ☐ | SV-226138r569184_rule | Network Bridges must be prohibited in Windows. |
| ☐ | SV-226139r569184_rule | Domain users must be required to elevate when setting a networks location. |
| ☐ | SV-226140r569184_rule | All Direct Access traffic must be routed through the internal network. |
| ☐ | SV-226141r569184_rule | The 6to4 IPv6 transition technology must be disabled. |
| ☐ | SV-226142r569184_rule | The IP-HTTPS IPv6 transition technology must be disabled. |
| ☐ | SV-226143r569184_rule | The ISATAP IPv6 transition technology must be disabled. |
| ☐ | SV-226144r569184_rule | The Teredo IPv6 transition technology must be disabled. |
| ☐ | SV-226145r569184_rule | IP stateless autoconfiguration limits state must be enabled. |
| ☐ | SV-226146r569184_rule | The configuration of wireless devices using Windows Connect Now must be disabled. |
| ☐ | SV-226147r569184_rule | The Windows Connect Now wizards must be disabled. |
| ☐ | SV-226148r569184_rule | Windows Update must be prevented from searching for point and print drivers. |
| ☐ | SV-226149r569184_rule | Optional component installation and component repair must be prevented from using Windows Update. |
| ☐ | SV-226150r569184_rule | Remote access to the Plug and Play interface must be disabled for device installation. |
| ☐ | SV-226151r569184_rule | An Error Report must not be sent when a generic device driver is installed. |
| ☐ | SV-226152r569184_rule | A system restore point must be created when a new device driver is installed. |
| ☐ | SV-226153r569184_rule | Device metadata retrieval from the Internet must be prevented. |
| ☐ | SV-226154r569184_rule | Windows must be prevented from sending an error report when a device driver requests additional software during installation. |
| ☐ | SV-226155r569184_rule | Device driver searches using Windows Update must be prevented. |
| ☐ | SV-226156r569184_rule | Device driver updates must only search managed servers, not Windows Update. |
| ☐ | SV-226157r569184_rule | Users must not be prompted to search Windows Update for device drivers. |
| ☐ | SV-226158r569184_rule | Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown. |
| ☐ | SV-226159r569184_rule | Group Policy objects must be reprocessed even if they have not changed. |
| ☐ | SV-226160r569184_rule | Group Policies must be refreshed in the background if the user is logged on. |
| ☐ | SV-226161r569184_rule | Access to the Windows Store must be turned off. |
| ☐ | SV-226162r569184_rule | Downloading print driver packages over HTTP must be prevented. |
| ☐ | SV-226163r569184_rule | Event Viewer Events.asp links must be turned off. |
| ☐ | SV-226164r569184_rule | Errors in handwriting recognition on tablet PCs must not be reported to Microsoft. |
| ☐ | SV-226165r569184_rule | The Internet File Association service must be turned off. |
| ☐ | SV-226166r569184_rule | Printing over HTTP must be prevented. |
| ☐ | SV-226167r569184_rule | The Windows Customer Experience Improvement Program must be disabled. |
| ☐ | SV-226168r569184_rule | Windows must be prevented from using Windows Update to search for drivers. |
| ☐ | SV-226169r569184_rule | Copying of user input methods to the system account for sign-in must be prevented. |
| ☐ | SV-226170r569184_rule | Local users on domain-joined computers must not be enumerated. |
| ☐ | SV-226171r569184_rule | App notifications on the lock screen must be turned off. |
| ☐ | SV-226172r569184_rule | Users must be prompted to authenticate on resume from sleep (on battery). |
| ☐ | SV-226173r569184_rule | The user must be prompted to authenticate on resume from sleep (plugged in). |
| ☐ | SV-226174r569184_rule | The system must be configured to prevent unsolicited remote assistance offers. |
| ☐ | SV-226175r569184_rule | Solicited Remote Assistance must not be allowed. |
| ☐ | SV-226176r569184_rule | Remote Assistance log files must be generated. |
| ☐ | SV-226177r569184_rule | The detection of compatibility issues for applications and drivers must be turned off. |
| ☐ | SV-226178r569184_rule | Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented. |
| ☐ | SV-226179r569184_rule | Access to Windows Online Troubleshooting Service (WOTS) must be prevented. |
| ☐ | SV-226180r569184_rule | Responsiveness events must be prevented from being aggregated and sent to Microsoft. |
| ☐ | SV-226181r569184_rule | The time service must synchronize with an appropriate DoD time source. |
| ☐ | SV-226182r569184_rule | Trusted app installation must be enabled to allow for signed enterprise line of business apps. |
| ☐ | SV-226183r569184_rule | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. |
| ☐ | SV-226184r569184_rule | Autoplay must be turned off for non-volume devices. |
| ☐ | SV-226185r569184_rule | The default Autorun behavior must be configured to prevent Autorun commands. |
| ☐ | SV-226186r569184_rule | Autoplay must be disabled for all drives. |
| ☐ | SV-226187r569184_rule | The use of biometrics must be disabled. |
| ☐ | SV-226188r569184_rule | The password reveal button must not be displayed. |
| ☐ | SV-226189r569184_rule | Administrator accounts must not be enumerated during elevation. |
| ☐ | SV-226190r569184_rule | The Application event log size must be configured to 32768 KB or greater. |
| ☐ | SV-226191r569184_rule | The Security event log size must be configured to 196608 KB or greater. |
| ☐ | SV-226192r569184_rule | The Setup event log size must be configured to 32768 KB or greater. |
| ☐ | SV-226193r569184_rule | The System event log size must be configured to 32768 KB or greater. |
| ☐ | SV-226194r569184_rule | Windows SmartScreen must be enabled on Windows 2012/2012 R2. |
| ☐ | SV-226195r569184_rule | Explorer Data Execution Prevention must be enabled. |
| ☐ | SV-226196r569184_rule | Turning off File Explorer heap termination on corruption must be disabled. |
| ☐ | SV-226197r569184_rule | File Explorer shell protocol must run in protected mode. |
| ☐ | SV-226198r569184_rule | The location feature must be turned off. |
| ☐ | SV-226199r569184_rule | Passwords must not be saved in the Remote Desktop Client. |
| ☐ | SV-226200r569184_rule | Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role). |
| ☐ | SV-226201r569184_rule | Remote Desktop Services must always prompt a client for passwords upon connection. |
| ☐ | SV-226202r569184_rule | Remote Desktop Services must be configured with the client connection encryption set to the required level. |
| ☐ | SV-226203r569184_rule | Remote Desktop Services must delete temporary folders when a session is terminated. |
| ☐ | SV-226204r569184_rule | Remote Desktop Services must be configured to use session-specific temporary folders. |
| ☐ | SV-226205r569184_rule | Attachments must be prevented from being downloaded from RSS feeds. |
| ☐ | SV-226206r569184_rule | Basic authentication for RSS feeds over HTTP must be turned off. |
| ☐ | SV-226207r569184_rule | Automatic download of updates from the Windows Store must be turned off. |
| ☐ | SV-226208r569184_rule | The Windows Store application must be turned off. |
| ☐ | SV-226209r569184_rule | Users must be prevented from changing installation options. |
| ☐ | SV-226210r569184_rule | The Windows Installer Always install with elevated privileges option must be disabled. |
| ☐ | SV-226211r569184_rule | Users must be notified if a web-based program attempts to install software. |
| ☐ | SV-226212r569184_rule | Nonadministrators must be prevented from applying vendor-signed updates. |
| ☐ | SV-226213r569184_rule | Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet. |
| ☐ | SV-226214r569184_rule | Users must not be presented with Privacy and Installation options on first use of Windows Media Player. |
| ☐ | SV-226215r569184_rule | Windows Media Player must be configured to prevent automatic checking for updates. |
| ☐ | SV-226216r569184_rule | The Windows Remote Management (WinRM) client must not use Basic authentication. |
| ☐ | SV-226217r569184_rule | The Windows Remote Management (WinRM) client must not allow unencrypted traffic. |
| ☐ | SV-226218r569184_rule | The Windows Remote Management (WinRM) client must not use Digest authentication. |
| ☐ | SV-226219r569184_rule | The Windows Remote Management (WinRM) service must not use Basic authentication. |
| ☐ | SV-226220r569184_rule | The Windows Remote Management (WinRM) service must not allow unencrypted traffic. |
| ☐ | SV-226221r569184_rule | The Windows Remote Management (WinRM) service must not store RunAs credentials. |
| ☐ | SV-226222r569184_rule | The Remote Desktop Session Host must require secure RPC communications. |
| ☐ | SV-226224r569184_rule | Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role). |
| ☐ | SV-226225r569184_rule | Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role). |
| ☐ | SV-226226r569184_rule | The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role). |
| ☐ | SV-226227r569184_rule | Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role). |
| ☐ | SV-226228r569184_rule | Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role). |
| ☐ | SV-226229r569184_rule | The display of slide shows on the lock screen must be disabled (Windows 2012 R2). |
| ☐ | SV-226230r569184_rule | Windows 2012 R2 must include command line data in process creation events. |
| ☐ | SV-226231r569184_rule | The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2). |
| ☐ | SV-226232r569184_rule | The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2). |
| ☐ | SV-226233r569184_rule | The Windows Explorer Preview pane must be disabled for Windows 2012. |
| ☐ | SV-226234r569184_rule | Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2). |
| ☐ | SV-226235r569184_rule | WDigest Authentication must be disabled. |
| ☐ | SV-226236r569184_rule | A host-based firewall must be installed and enabled on the system. |
| ☐ | SV-226237r569184_rule | Systems must be maintained at a supported service pack level. |
| ☐ | SV-226238r569184_rule | Only administrators responsible for the domain controller must have Administrator rights on the system. |
| ☐ | SV-226239r569184_rule | Local volumes must use a format that supports NTFS attributes. |
| ☐ | SV-226240r569184_rule | Permissions for system drive root directory (usually C:\) must conform to minimum requirements. |
| ☐ | SV-226241r569184_rule | Permissions for program file directories must conform to minimum requirements. |
| ☐ | SV-226242r569184_rule | Permissions for Windows installation directory must conform to minimum requirements. |
| ☐ | SV-226243r569184_rule | The system must not boot into multiple operating systems (dual-boot). |
| ☐ | SV-226244r569184_rule | Nonadministrative user accounts or groups must only have print permissions on printer shares. |
| ☐ | SV-226245r569184_rule | Outdated or unused accounts must be removed from the system or disabled. |
| ☐ | SV-226246r569184_rule | Windows 2012/2012 R2 accounts must be configured to require passwords. |
| ☐ | SV-226247r569184_rule | Windows 2012/2012 R2 passwords must be configured to expire. |
| ☐ | SV-226248r569266_rule | System files must be monitored for unauthorized changes. |
| ☐ | SV-226249r569184_rule | Non system-created file shares on a system must limit access to groups that require it. |
| ☐ | SV-226250r569184_rule | The HBSS McAfee Agent must be installed. |
| ☐ | SV-226251r569184_rule | Software certificate installation files must be removed from Windows 2012/2012 R2. |
| ☐ | SV-226252r569184_rule | Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system. |
| ☐ | SV-226253r569184_rule | Servers must have a host-based Intrusion Detection System. |
| ☐ | SV-226254r569184_rule | Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). |
| ☐ | SV-226255r569184_rule | The system must support automated patch management tools to facilitate flaw remediation. |
| ☐ | SV-226256r569184_rule | The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes. |
| ☐ | SV-226257r569184_rule | File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons. |
| ☐ | SV-226258r569184_rule | File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive. |
| ☐ | SV-226259r569184_rule | Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours. |
| ☐ | SV-226260r569184_rule | Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. |
| ☐ | SV-226261r569261_rule | The DoD Root CA certificates must be installed in the Trusted Root Store. |
| ☐ | SV-226262r569264_rule | The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. |
| ☐ | SV-226263r569258_rule | The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. |
| ☐ | SV-226264r569184_rule | Domain controllers must have a PKI server certificate. |
| ☐ | SV-226265r569184_rule | Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). |
| ☐ | SV-226266r569184_rule | PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA). |
| ☐ | SV-226267r569184_rule | Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. |
| ☐ | SV-226268r569184_rule | Standard user accounts must only have Read permissions to the Winlogon registry key. |
| ☐ | SV-226269r569184_rule | Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key. |
| ☐ | SV-226270r569184_rule | Anonymous access to the registry must be restricted. |
| ☐ | SV-226271r569184_rule | The built-in guest account must be disabled. |
| ☐ | SV-226272r569184_rule | Local accounts with blank passwords must be restricted to prevent access from the network. |
| ☐ | SV-226273r569184_rule | The built-in administrator account must be renamed. |
| ☐ | SV-226274r569184_rule | The built-in guest account must be renamed. |
| ☐ | SV-226275r569184_rule | Auditing the Access of Global System Objects must be turned off. |
| ☐ | SV-226276r569184_rule | Auditing of Backup and Restore Privileges must be turned off. |
| ☐ | SV-226277r569184_rule | Audit policy using subcategories must be enabled. |
| ☐ | SV-226278r569184_rule | Ejection of removable NTFS media must be restricted to Administrators. |
| ☐ | SV-226279r569184_rule | Outgoing secure channel traffic must be encrypted or signed. |
| ☐ | SV-226280r569184_rule | Outgoing secure channel traffic must be encrypted when possible. |
| ☐ | SV-226281r569184_rule | Outgoing secure channel traffic must be signed when possible. |
| ☐ | SV-226282r569184_rule | The computer account password must not be prevented from being reset. |
| ☐ | SV-226283r569184_rule | The maximum age for machine account passwords must be set to requirements. |
| ☐ | SV-226284r569184_rule | The system must be configured to require a strong session key. |
| ☐ | SV-226285r569184_rule | The system must be configured to prevent the display of the last username on the logon screen. |
| ☐ | SV-226286r569184_rule | The Ctrl+Alt+Del security attention sequence for logons must be enabled. |
| ☐ | SV-226287r569184_rule | The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. |
| ☐ | SV-226288r569184_rule | The required legal notice must be configured to display before console logon. |
| ☐ | SV-226289r569184_rule | The Windows dialog box title for the legal banner must be configured. |
| ☐ | SV-226290r569184_rule | Caching of logon credentials must be limited. |
| ☐ | SV-226291r569184_rule | Users must be warned in advance of their passwords expiring. |
| ☐ | SV-226292r569184_rule | The Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
| ☐ | SV-226293r569184_rule | The Windows SMB client must be configured to always perform SMB packet signing. |
| ☐ | SV-226294r569184_rule | The Windows SMB client must be enabled to perform SMB packet signing when possible. |
| ☐ | SV-226295r569184_rule | Unencrypted passwords must not be sent to third-party SMB Servers. |
| ☐ | SV-226296r569184_rule | The amount of idle time required before suspending a session must be properly set. |
| ☐ | SV-226297r569184_rule | The Windows SMB server must be configured to always perform SMB packet signing. |
| ☐ | SV-226298r569184_rule | The Windows SMB server must perform SMB packet signing when possible. |
| ☐ | SV-226299r569184_rule | Users must be forcibly disconnected when their logon hours expire. |
| ☐ | SV-226300r569184_rule | The service principal name (SPN) target name validation level must be turned off. |
| ☐ | SV-226301r569184_rule | Automatic logons must be disabled. |
| ☐ | SV-226302r569184_rule | IPv6 source routing must be configured to the highest protection level. |
| ☐ | SV-226303r569184_rule | The system must be configured to prevent IP source routing. |
| ☐ | SV-226304r569184_rule | The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. |
| ☐ | SV-226305r569184_rule | The system must be configured to limit how often keep-alive packets are sent. |
| ☐ | SV-226306r569184_rule | IPSec Exemptions must be limited. |
| ☐ | SV-226307r569184_rule | The system must be configured to ignore NetBIOS name release requests except from WINS servers. |
| ☐ | SV-226308r569184_rule | The system must be configured to disable the Internet Router Discovery Protocol (IRDP). |
| ☐ | SV-226309r569184_rule | The system must be configured to use Safe DLL Search Mode. |
| ☐ | SV-226310r569184_rule | The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active. |
| ☐ | SV-226311r569184_rule | IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted. |
| ☐ | SV-226312r569184_rule | The system must limit how many times unacknowledged TCP data is retransmitted. |
| ☐ | SV-226313r569184_rule | The system must generate an audit event when the audit log reaches a percentage of full threshold. |
| ☐ | SV-226314r569184_rule | Anonymous SID/Name translation must not be allowed. |
| ☐ | SV-226315r569184_rule | Anonymous enumeration of SAM accounts must not be allowed. |
| ☐ | SV-226316r569184_rule | Anonymous enumeration of shares must be restricted. |
| ☐ | SV-226317r569184_rule | The system must be configured to prevent anonymous users from having the same rights as the Everyone group. |
| ☐ | SV-226318r569184_rule | Named pipes that can be accessed anonymously must be configured with limited values on domain controllers. |
| ☐ | SV-226319r569184_rule | Unauthorized remotely accessible registry paths must not be configured. |
| ☐ | SV-226320r569184_rule | Unauthorized remotely accessible registry paths and sub-paths must not be configured. |
| ☐ | SV-226321r569184_rule | Anonymous access to Named Pipes and Shares must be restricted. |
| ☐ | SV-226322r569184_rule | Network shares that can be accessed anonymously must not be allowed. |
| ☐ | SV-226323r569184_rule | The system must be configured to use the Classic security model. |
| ☐ | SV-226324r569184_rule | Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. |
| ☐ | SV-226325r569184_rule | NTLM must be prevented from falling back to a Null session. |
| ☐ | SV-226326r569184_rule | PKU2U authentication using online identities must be prevented. |
| ☐ | SV-226327r569184_rule | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. |
| ☐ | SV-226328r569184_rule | The system must be configured to prevent the storage of the LAN Manager hash of passwords. |
| ☐ | SV-226329r569184_rule | The system must be configured to force users to log off when their allowed logon hours expire. |
| ☐ | SV-226330r569184_rule | The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. |
| ☐ | SV-226331r569184_rule | The system must be configured to the required LDAP client signing level. |
| ☐ | SV-226332r569184_rule | The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients. |
| ☐ | SV-226333r569184_rule | The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers. |
| ☐ | SV-226334r569184_rule | The shutdown option must not be available from the logon dialog box. |
| ☐ | SV-226335r569184_rule | The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. |
| ☐ | SV-226336r569184_rule | The system must be configured to require case insensitivity for non-Windows subsystems. |
| ☐ | SV-226337r569184_rule | The default permissions of global system objects must be increased. |
| ☐ | SV-226338r569184_rule | User Account Control approval mode for the built-in Administrator must be enabled. |
| ☐ | SV-226339r569184_rule | User Account Control must, at minimum, prompt administrators for consent. |
| ☐ | SV-226340r569184_rule | User Account Control must automatically deny standard user requests for elevation. |
| ☐ | SV-226341r569184_rule | User Account Control must be configured to detect application installations and prompt for elevation. |
| ☐ | SV-226342r569184_rule | Windows must elevate all applications in User Account Control, not just signed ones. |
| ☐ | SV-226343r569184_rule | User Account Control must only elevate UIAccess applications that are installed in secure locations. |
| ☐ | SV-226344r569184_rule | User Account Control must run all administrators in Admin Approval Mode, enabling UAC. |
| ☐ | SV-226345r569184_rule | User Account Control must switch to the secure desktop when prompting for elevation. |
| ☐ | SV-226346r569184_rule | User Account Control must virtualize file and registry write failures to per-user locations. |
| ☐ | SV-226347r569184_rule | UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. |
| ☐ | SV-226348r569184_rule | Optional Subsystems must not be permitted to operate on the system. |
| ☐ | SV-226349r569184_rule | The print driver installation privilege must be restricted to administrators. |
| ☐ | SV-226350r569184_rule | Domain controllers must require LDAP access signing. |
| ☐ | SV-226351r569184_rule | Domain controllers must be configured to allow reset of machine account passwords. |
| ☐ | SV-226352r569184_rule | Users must be required to enter a password to access private keys stored on the computer. |
| ☐ | SV-226353r569184_rule | The Fax service must be disabled if installed. |
| ☐ | SV-226354r569184_rule | The Microsoft FTP service must not be installed unless required. |
| ☐ | SV-226355r569184_rule | The Peer Networking Identity Manager service must be disabled if installed. |
| ☐ | SV-226356r569184_rule | The Simple TCP/IP Services service must be disabled if installed. |
| ☐ | SV-226357r569184_rule | The Telnet service must be disabled if installed. |
| ☐ | SV-226358r569184_rule | The Smart Card Removal Policy service must be configured to automatic. |
| ☐ | SV-226359r569184_rule | A screen saver must be enabled on the system. |
| ☐ | SV-226360r569184_rule | The screen saver must be password protected. |
| ☐ | SV-226361r569184_rule | Notifications from Windows Push Network Service must be turned off. |
| ☐ | SV-226362r569184_rule | Toast notifications to the lock screen must be turned off. |
| ☐ | SV-226363r569184_rule | The Windows Help Experience Improvement Program must be disabled. |
| ☐ | SV-226364r569184_rule | Windows Help Ratings feedback must be turned off. |
| ☐ | SV-226365r569184_rule | Zone information must be preserved when saving attachments. |
| ☐ | SV-226366r569184_rule | Mechanisms for removing zone information from file attachments must be hidden. |
| ☐ | SV-226367r569184_rule | The system must notify antivirus when file attachments are opened. |
| ☐ | SV-226368r569184_rule | Users must be prevented from sharing files in their profiles. |
| ☐ | SV-226369r569184_rule | Media Player must be configured to prevent automatic Codec downloads. |
| ☐ | SV-226370r569184_rule | The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. |
| ☐ | SV-226371r569184_rule | Unauthorized accounts must not have the Access this computer from the network user right on domain controllers. |
| ☐ | SV-226372r569184_rule | The Act as part of the operating system user right must not be assigned to any groups or accounts. |
| ☐ | SV-226373r569184_rule | The Allow log on locally user right must only be assigned to the Administrators group. |
| ☐ | SV-226374r569184_rule | The Back up files and directories user right must only be assigned to the Administrators group. |
| ☐ | SV-226375r569184_rule | The Create a pagefile user right must only be assigned to the Administrators group. |
| ☐ | SV-226376r569184_rule | The Create a token object user right must not be assigned to any groups or accounts. |
| ☐ | SV-226377r569184_rule | The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
| ☐ | SV-226378r569184_rule | The Create permanent shared objects user right must not be assigned to any groups or accounts. |
| ☐ | SV-226379r569184_rule | The Create symbolic links user right must only be assigned to the Administrators group. |
| ☐ | SV-226380r569184_rule | The Debug programs user right must only be assigned to the Administrators group. |
| ☐ | SV-226381r569184_rule | The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. |
| ☐ | SV-226382r569184_rule | The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access. |
| ☐ | SV-226383r569184_rule | The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. |
| ☐ | SV-226384r569184_rule | The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. |
| ☐ | SV-226385r569184_rule | The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. |
| ☐ | SV-226386r569184_rule | Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers. |
| ☐ | SV-226387r569184_rule | The Force shutdown from a remote system user right must only be assigned to the Administrators group. |
| ☐ | SV-226388r569184_rule | The Generate security audits user right must only be assigned to Local Service and Network Service. |
| ☐ | SV-226389r569184_rule | The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
| ☐ | SV-226390r569184_rule | The Increase scheduling priority user right must only be assigned to the Administrators group. |
| ☐ | SV-226391r569184_rule | The Load and unload device drivers user right must only be assigned to the Administrators group. |
| ☐ | SV-226392r569184_rule | The Lock pages in memory user right must not be assigned to any groups or accounts. |
| ☐ | SV-226393r569184_rule | The Manage auditing and security log user right must only be assigned to the Administrators group. |
| ☐ | SV-226394r569184_rule | The Modify firmware environment values user right must only be assigned to the Administrators group. |
| ☐ | SV-226395r569184_rule | The Perform volume maintenance tasks user right must only be assigned to the Administrators group. |
| ☐ | SV-226396r569184_rule | The Profile single process user right must only be assigned to the Administrators group. |
| ☐ | SV-226397r569184_rule | The Restore files and directories user right must only be assigned to the Administrators group. |
| ☐ | SV-226398r569184_rule | The Take ownership of files or other objects user right must only be assigned to the Administrators group. |
| ☐ | SV-226399r569184_rule | Unauthorized accounts must not have the Add workstations to domain user right. |
| ☐ | SV-226400r569184_rule | The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group. |
STIGQter: STIG Summary: