| Checked | Name | Title |
|---|
| ☐ | SV-225239r569185_rule | Server systems must be located in a controlled access area, accessible only to authorized personnel. |
| ☐ | SV-225240r569185_rule | Users with administrative privilege must be documented. |
| ☐ | SV-225241r569185_rule | Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. |
| ☐ | SV-225242r569185_rule | Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control. |
| ☐ | SV-225243r569185_rule | Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization. |
| ☐ | SV-225244r569185_rule | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. |
| ☐ | SV-225245r569185_rule | Members of the Backup Operators group must be documented. |
| ☐ | SV-225246r569185_rule | Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. |
| ☐ | SV-225247r569185_rule | Policy must require application account passwords be at least 15 characters in length. |
| ☐ | SV-225248r569185_rule | Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. |
| ☐ | SV-225249r569185_rule | Shared user accounts must not be permitted on the system. |
| ☐ | SV-225250r569185_rule | Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance. |
| ☐ | SV-225251r569185_rule | System-level information must be backed up in accordance with local recovery time and recovery point objectives. |
| ☐ | SV-225252r569185_rule | User-level information must be backed up in accordance with local recovery time and recovery point objectives. |
| ☐ | SV-225253r569185_rule | Backups of system-level information must be protected. |
| ☐ | SV-225254r569185_rule | System-related documentation must be backed up in accordance with local recovery time and recovery point objectives. |
| ☐ | SV-225255r569185_rule | The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
| ☐ | SV-225256r569185_rule | Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. |
| ☐ | SV-225257r569185_rule | Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. |
| ☐ | SV-225258r569185_rule | The Windows 2012 / 2012 R2 system must use an anti-virus program. |
| ☐ | SV-225259r569185_rule | The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2. |
| ☐ | SV-225260r569185_rule | The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. |
| ☐ | SV-225261r569185_rule | The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. |
| ☐ | SV-225262r569185_rule | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2. |
| ☐ | SV-225263r569185_rule | Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2. |
| ☐ | SV-225264r569185_rule | PowerShell script block logging must be enabled on Windows 2012/2012 R2. |
| ☐ | SV-225265r569185_rule | Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2. |
| ☐ | SV-225266r569185_rule | Windows 2012 account lockout duration must be configured to 15 minutes or greater. |
| ☐ | SV-225267r569185_rule | The number of allowed bad logon attempts must meet minimum requirements. |
| ☐ | SV-225268r569185_rule | The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012. |
| ☐ | SV-225269r569185_rule | The password history must be configured to 24 passwords remembered. |
| ☐ | SV-225270r569185_rule | The maximum password age must meet requirements. |
| ☐ | SV-225271r569185_rule | The minimum password age must meet requirements. |
| ☐ | SV-225272r569185_rule | Passwords must, at a minimum, be 14 characters. |
| ☐ | SV-225273r569185_rule | The built-in Windows password complexity policy must be enabled. |
| ☐ | SV-225274r569185_rule | Reversible password encryption must be disabled. |
| ☐ | SV-225275r569185_rule | The system must be configured to audit Account Logon - Credential Validation successes. |
| ☐ | SV-225276r569185_rule | The system must be configured to audit Account Logon - Credential Validation failures. |
| ☐ | SV-225277r569185_rule | The system must be configured to audit Account Management - Other Account Management Events successes. |
| ☐ | SV-225278r569185_rule | The system must be configured to audit Account Management - Security Group Management successes. |
| ☐ | SV-225279r569185_rule | The system must be configured to audit Account Management - User Account Management successes. |
| ☐ | SV-225280r569185_rule | The system must be configured to audit Account Management - User Account Management failures. |
| ☐ | SV-225281r569185_rule | The system must be configured to audit Detailed Tracking - Process Creation successes. |
| ☐ | SV-225282r569185_rule | Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes. |
| ☐ | SV-225283r569185_rule | Windows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures. |
| ☐ | SV-225284r569185_rule | The system must be configured to audit Logon/Logoff - Logoff successes. |
| ☐ | SV-225285r569185_rule | The system must be configured to audit Logon/Logoff - Logon successes. |
| ☐ | SV-225286r569185_rule | The system must be configured to audit Logon/Logoff - Logon failures. |
| ☐ | SV-225287r569185_rule | The system must be configured to audit Logon/Logoff - Special Logon successes. |
| ☐ | SV-225288r569185_rule | The system must be configured to audit Object Access - Central Access Policy Staging successes. |
| ☐ | SV-225289r569185_rule | The system must be configured to audit Object Access - Central Access Policy Staging failures. |
| ☐ | SV-225290r569185_rule | The system must be configured to audit Object Access - Removable Storage successes. |
| ☐ | SV-225291r569185_rule | The system must be configured to audit Object Access - Removable Storage failures. |
| ☐ | SV-225292r569185_rule | The system must be configured to audit Policy Change - Audit Policy Change successes. |
| ☐ | SV-225293r569185_rule | The system must be configured to audit Policy Change - Audit Policy Change failures. |
| ☐ | SV-225294r569185_rule | The system must be configured to audit Policy Change - Authentication Policy Change successes. |
| ☐ | SV-225295r569185_rule | The system must be configured to audit Policy Change - Authorization Policy Change successes. |
| ☐ | SV-225296r569185_rule | The system must be configured to audit Privilege Use - Sensitive Privilege Use successes. |
| ☐ | SV-225297r569185_rule | The system must be configured to audit Privilege Use - Sensitive Privilege Use failures. |
| ☐ | SV-225298r569185_rule | The system must be configured to audit System - IPsec Driver successes. |
| ☐ | SV-225299r569185_rule | The system must be configured to audit System - IPsec Driver failures. |
| ☐ | SV-225300r569185_rule | Windows Server 2012/2012 R2 must be configured to audit System - Other System Events successes. |
| ☐ | SV-225301r569185_rule | Windows Server 2012/2012 R2 must be configured to audit System - Other System Events failures. |
| ☐ | SV-225302r569185_rule | The system must be configured to audit System - Security State Change successes. |
| ☐ | SV-225303r569185_rule | The system must be configured to audit System - Security System Extension successes. |
| ☐ | SV-225304r569185_rule | The system must be configured to audit System - System Integrity successes. |
| ☐ | SV-225305r569185_rule | The system must be configured to audit System - System Integrity failures. |
| ☐ | SV-225306r569185_rule | Audit data must be reviewed on a regular basis. |
| ☐ | SV-225307r569185_rule | Audit data must be retained for at least one year. |
| ☐ | SV-225308r569185_rule | Audit records must be backed up onto a different system or media than the system being audited. |
| ☐ | SV-225309r569185_rule | The operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly. |
| ☐ | SV-225310r569185_rule | Permissions for the Application event log must prevent access by nonprivileged accounts. |
| ☐ | SV-225311r569185_rule | Permissions for the Security event log must prevent access by nonprivileged accounts. |
| ☐ | SV-225312r569185_rule | Permissions for the System event log must prevent access by nonprivileged accounts. |
| ☐ | SV-225313r569185_rule | Event Viewer must be protected from unauthorized modification and deletion. |
| ☐ | SV-225314r569185_rule | The Mapper I/O network protocol (LLTDIO) driver must be disabled. |
| ☐ | SV-225315r569185_rule | The Responder network protocol driver must be disabled. |
| ☐ | SV-225316r569185_rule | Windows Peer-to-Peer networking services must be turned off. |
| ☐ | SV-225317r569185_rule | Network Bridges must be prohibited in Windows. |
| ☐ | SV-225318r569185_rule | Domain users must be required to elevate when setting a networks location. |
| ☐ | SV-225319r569185_rule | All Direct Access traffic must be routed through the internal network. |
| ☐ | SV-225320r569185_rule | The 6to4 IPv6 transition technology must be disabled. |
| ☐ | SV-225321r569185_rule | The IP-HTTPS IPv6 transition technology must be disabled. |
| ☐ | SV-225322r569185_rule | The ISATAP IPv6 transition technology must be disabled. |
| ☐ | SV-225323r569185_rule | The Teredo IPv6 transition technology must be disabled. |
| ☐ | SV-225324r569185_rule | IP stateless autoconfiguration limits state must be enabled. |
| ☐ | SV-225325r569185_rule | The configuration of wireless devices using Windows Connect Now must be disabled. |
| ☐ | SV-225326r569185_rule | The Windows Connect Now wizards must be disabled. |
| ☐ | SV-225327r569185_rule | Windows Update must be prevented from searching for point and print drivers. |
| ☐ | SV-225328r569185_rule | Optional component installation and component repair must be prevented from using Windows Update. |
| ☐ | SV-225329r569185_rule | Remote access to the Plug and Play interface must be disabled for device installation. |
| ☐ | SV-225330r569185_rule | An Error Report must not be sent when a generic device driver is installed. |
| ☐ | SV-225331r569185_rule | A system restore point must be created when a new device driver is installed. |
| ☐ | SV-225332r569185_rule | Device metadata retrieval from the Internet must be prevented. |
| ☐ | SV-225333r569185_rule | Windows must be prevented from sending an error report when a device driver requests additional software during installation. |
| ☐ | SV-225334r569185_rule | Device driver searches using Windows Update must be prevented. |
| ☐ | SV-225335r569185_rule | Device driver updates must only search managed servers, not Windows Update. |
| ☐ | SV-225336r569185_rule | Users must not be prompted to search Windows Update for device drivers. |
| ☐ | SV-225337r569185_rule | Early Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown. |
| ☐ | SV-225338r569185_rule | Group Policy objects must be reprocessed even if they have not changed. |
| ☐ | SV-225339r569185_rule | Group Policies must be refreshed in the background if the user is logged on. |
| ☐ | SV-225340r569185_rule | Access to the Windows Store must be turned off. |
| ☐ | SV-225341r569185_rule | Downloading print driver packages over HTTP must be prevented. |
| ☐ | SV-225342r569185_rule | Event Viewer Events.asp links must be turned off. |
| ☐ | SV-225343r569185_rule | Errors in handwriting recognition on tablet PCs must not be reported to Microsoft. |
| ☐ | SV-225344r569185_rule | The Internet File Association service must be turned off. |
| ☐ | SV-225345r569185_rule | Printing over HTTP must be prevented. |
| ☐ | SV-225346r569185_rule | The Windows Customer Experience Improvement Program must be disabled. |
| ☐ | SV-225347r569185_rule | Windows must be prevented from using Windows Update to search for drivers. |
| ☐ | SV-225348r569185_rule | Copying of user input methods to the system account for sign-in must be prevented. |
| ☐ | SV-225349r569185_rule | Local users on domain-joined computers must not be enumerated. |
| ☐ | SV-225350r569185_rule | App notifications on the lock screen must be turned off. |
| ☐ | SV-225351r569185_rule | Users must be prompted to authenticate on resume from sleep (on battery). |
| ☐ | SV-225352r569185_rule | The user must be prompted to authenticate on resume from sleep (plugged in). |
| ☐ | SV-225353r569185_rule | The system must be configured to prevent unsolicited remote assistance offers. |
| ☐ | SV-225354r569185_rule | Solicited Remote Assistance must not be allowed. |
| ☐ | SV-225355r569185_rule | Remote Assistance log files must be generated. |
| ☐ | SV-225356r569185_rule | Unauthenticated RPC clients must be restricted from connecting to the RPC server. |
| ☐ | SV-225357r569185_rule | The detection of compatibility issues for applications and drivers must be turned off. |
| ☐ | SV-225358r569185_rule | Microsoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented. |
| ☐ | SV-225359r569185_rule | Access to Windows Online Troubleshooting Service (WOTS) must be prevented. |
| ☐ | SV-225360r569185_rule | Responsiveness events must be prevented from being aggregated and sent to Microsoft. |
| ☐ | SV-225361r569185_rule | The time service must synchronize with an appropriate DoD time source. |
| ☐ | SV-225362r569185_rule | Trusted app installation must be enabled to allow for signed enterprise line of business apps. |
| ☐ | SV-225363r569185_rule | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. |
| ☐ | SV-225364r569185_rule | Autoplay must be turned off for non-volume devices. |
| ☐ | SV-225365r569185_rule | The default Autorun behavior must be configured to prevent Autorun commands. |
| ☐ | SV-225366r569185_rule | Autoplay must be disabled for all drives. |
| ☐ | SV-225367r569185_rule | The use of biometrics must be disabled. |
| ☐ | SV-225368r569185_rule | The password reveal button must not be displayed. |
| ☐ | SV-225369r569185_rule | Administrator accounts must not be enumerated during elevation. |
| ☐ | SV-225370r569185_rule | The Application event log size must be configured to 32768 KB or greater. |
| ☐ | SV-225371r569185_rule | The Security event log size must be configured to 196608 KB or greater. |
| ☐ | SV-225372r569185_rule | The Setup event log size must be configured to 32768 KB or greater. |
| ☐ | SV-225373r569185_rule | The System event log size must be configured to 32768 KB or greater. |
| ☐ | SV-225374r569185_rule | Windows SmartScreen must be enabled on Windows 2012/2012 R2. |
| ☐ | SV-225375r569185_rule | Explorer Data Execution Prevention must be enabled. |
| ☐ | SV-225376r569185_rule | Turning off File Explorer heap termination on corruption must be disabled. |
| ☐ | SV-225377r569185_rule | File Explorer shell protocol must run in protected mode. |
| ☐ | SV-225378r569185_rule | The location feature must be turned off. |
| ☐ | SV-225379r569185_rule | Passwords must not be saved in the Remote Desktop Client. |
| ☐ | SV-225380r569185_rule | Local drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role). |
| ☐ | SV-225381r569185_rule | Remote Desktop Services must always prompt a client for passwords upon connection. |
| ☐ | SV-225382r569185_rule | Remote Desktop Services must be configured with the client connection encryption set to the required level. |
| ☐ | SV-225383r569185_rule | Remote Desktop Services must delete temporary folders when a session is terminated. |
| ☐ | SV-225384r569185_rule | Remote Desktop Services must be configured to use session-specific temporary folders. |
| ☐ | SV-225385r569185_rule | Attachments must be prevented from being downloaded from RSS feeds. |
| ☐ | SV-225386r569185_rule | Basic authentication for RSS feeds over HTTP must be turned off. |
| ☐ | SV-225387r569185_rule | Automatic download of updates from the Windows Store must be turned off. |
| ☐ | SV-225388r569185_rule | The Windows Store application must be turned off. |
| ☐ | SV-225389r569185_rule | Users must be prevented from changing installation options. |
| ☐ | SV-225390r569185_rule | The Windows Installer Always install with elevated privileges option must be disabled. |
| ☐ | SV-225391r569185_rule | Users must be notified if a web-based program attempts to install software. |
| ☐ | SV-225392r569185_rule | Nonadministrators must be prevented from applying vendor-signed updates. |
| ☐ | SV-225393r569185_rule | Windows Media Digital Rights Management (DRM) must be prevented from accessing the Internet. |
| ☐ | SV-225394r569185_rule | Users must not be presented with Privacy and Installation options on first use of Windows Media Player. |
| ☐ | SV-225395r569185_rule | Windows Media Player must be configured to prevent automatic checking for updates. |
| ☐ | SV-225396r569185_rule | The Windows Remote Management (WinRM) client must not use Basic authentication. |
| ☐ | SV-225397r569185_rule | The Windows Remote Management (WinRM) client must not allow unencrypted traffic. |
| ☐ | SV-225398r569185_rule | The Windows Remote Management (WinRM) client must not use Digest authentication. |
| ☐ | SV-225399r569185_rule | The Windows Remote Management (WinRM) service must not use Basic authentication. |
| ☐ | SV-225400r569185_rule | The Windows Remote Management (WinRM) service must not allow unencrypted traffic. |
| ☐ | SV-225401r569185_rule | The Windows Remote Management (WinRM) service must not store RunAs credentials. |
| ☐ | SV-225402r569185_rule | The Remote Desktop Session Host must require secure RPC communications. |
| ☐ | SV-225404r569185_rule | Users must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role). |
| ☐ | SV-225405r569185_rule | Users must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role). |
| ☐ | SV-225406r569185_rule | The system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role). |
| ☐ | SV-225407r569185_rule | Users must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role). |
| ☐ | SV-225408r569185_rule | Only the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role). |
| ☐ | SV-225409r569185_rule | The display of slide shows on the lock screen must be disabled (Windows 2012 R2). |
| ☐ | SV-225410r569185_rule | Windows 2012 R2 must include command line data in process creation events. |
| ☐ | SV-225411r569185_rule | The network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2). |
| ☐ | SV-225412r569185_rule | The setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2). |
| ☐ | SV-225413r569185_rule | The Windows Explorer Preview pane must be disabled for Windows 2012. |
| ☐ | SV-225414r569185_rule | Automatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2). |
| ☐ | SV-225415r569185_rule | WDigest Authentication must be disabled. |
| ☐ | SV-225416r569185_rule | A host-based firewall must be installed and enabled on the system. |
| ☐ | SV-225417r569185_rule | Systems must be maintained at a supported service pack level. |
| ☐ | SV-225418r569185_rule | Only administrators responsible for the member server must have Administrator rights on the system. |
| ☐ | SV-225419r569185_rule | Local volumes must use a format that supports NTFS attributes. |
| ☐ | SV-225420r569185_rule | Permissions for system drive root directory (usually C:\) must conform to minimum requirements. |
| ☐ | SV-225421r569185_rule | Permissions for program file directories must conform to minimum requirements. |
| ☐ | SV-225422r569185_rule | Permissions for Windows installation directory must conform to minimum requirements. |
| ☐ | SV-225423r569185_rule | The system must not boot into multiple operating systems (dual-boot). |
| ☐ | SV-225424r569185_rule | Nonadministrative user accounts or groups must only have print permissions on printer shares. |
| ☐ | SV-225425r569185_rule | Outdated or unused accounts must be removed from the system or disabled. |
| ☐ | SV-225426r569185_rule | Windows 2012/2012 R2 accounts must be configured to require passwords. |
| ☐ | SV-225427r569185_rule | Windows 2012/2012 R2 passwords must be configured to expire. |
| ☐ | SV-225428r569268_rule | System files must be monitored for unauthorized changes. |
| ☐ | SV-225429r569185_rule | Non system-created file shares on a system must limit access to groups that require it. |
| ☐ | SV-225430r569185_rule | The HBSS McAfee Agent must be installed. |
| ☐ | SV-225431r569185_rule | Software certificate installation files must be removed from Windows 2012/2012 R2. |
| ☐ | SV-225432r569185_rule | Necessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system. |
| ☐ | SV-225433r569185_rule | Servers must have a host-based Intrusion Detection System. |
| ☐ | SV-225434r569185_rule | Windows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). |
| ☐ | SV-225435r569185_rule | The system must support automated patch management tools to facilitate flaw remediation. |
| ☐ | SV-225436r569185_rule | The system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes. |
| ☐ | SV-225437r569185_rule | File Transfer Protocol (FTP) servers must be configured to prevent anonymous logons. |
| ☐ | SV-225438r569185_rule | File Transfer Protocol (FTP) servers must be configured to prevent access to the system drive. |
| ☐ | SV-225439r569185_rule | Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours. |
| ☐ | SV-225440r569185_rule | Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. |
| ☐ | SV-225441r569248_rule | The DoD Root CA certificates must be installed in the Trusted Root Store. |
| ☐ | SV-225442r569255_rule | The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. |
| ☐ | SV-225443r569252_rule | The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. |
| ☐ | SV-225444r569185_rule | Standard user accounts must only have Read permissions to the Winlogon registry key. |
| ☐ | SV-225445r569185_rule | Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key. |
| ☐ | SV-225446r569185_rule | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. |
| ☐ | SV-225447r569185_rule | Anonymous access to the registry must be restricted. |
| ☐ | SV-225448r569185_rule | The built-in guest account must be disabled. |
| ☐ | SV-225449r569185_rule | Local accounts with blank passwords must be restricted to prevent access from the network. |
| ☐ | SV-225450r569185_rule | The built-in administrator account must be renamed. |
| ☐ | SV-225451r569185_rule | The built-in guest account must be renamed. |
| ☐ | SV-225452r569185_rule | Auditing the Access of Global System Objects must be turned off. |
| ☐ | SV-225453r569185_rule | Auditing of Backup and Restore Privileges must be turned off. |
| ☐ | SV-225454r569185_rule | Audit policy using subcategories must be enabled. |
| ☐ | SV-225455r569185_rule | Ejection of removable NTFS media must be restricted to Administrators. |
| ☐ | SV-225456r569185_rule | Outgoing secure channel traffic must be encrypted or signed. |
| ☐ | SV-225457r569185_rule | Outgoing secure channel traffic must be encrypted when possible. |
| ☐ | SV-225458r569185_rule | Outgoing secure channel traffic must be signed when possible. |
| ☐ | SV-225459r569185_rule | The computer account password must not be prevented from being reset. |
| ☐ | SV-225460r569185_rule | The maximum age for machine account passwords must be set to requirements. |
| ☐ | SV-225461r569185_rule | The system must be configured to require a strong session key. |
| ☐ | SV-225462r569185_rule | The system must be configured to prevent the display of the last username on the logon screen. |
| ☐ | SV-225463r569185_rule | The Ctrl+Alt+Del security attention sequence for logons must be enabled. |
| ☐ | SV-225464r569185_rule | The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. |
| ☐ | SV-225465r569185_rule | The required legal notice must be configured to display before console logon. |
| ☐ | SV-225466r569185_rule | The Windows dialog box title for the legal banner must be configured. |
| ☐ | SV-225467r569185_rule | Caching of logon credentials must be limited. |
| ☐ | SV-225468r569185_rule | Users must be warned in advance of their passwords expiring. |
| ☐ | SV-225469r569185_rule | The Smart Card removal option must be configured to Force Logoff or Lock Workstation. |
| ☐ | SV-225470r569185_rule | The Windows SMB client must be configured to always perform SMB packet signing. |
| ☐ | SV-225471r569185_rule | The Windows SMB client must be enabled to perform SMB packet signing when possible. |
| ☐ | SV-225472r569185_rule | Unencrypted passwords must not be sent to third-party SMB Servers. |
| ☐ | SV-225473r569185_rule | The amount of idle time required before suspending a session must be properly set. |
| ☐ | SV-225474r569185_rule | The Windows SMB server must be configured to always perform SMB packet signing. |
| ☐ | SV-225475r569185_rule | The Windows SMB server must perform SMB packet signing when possible. |
| ☐ | SV-225476r569185_rule | Users must be forcibly disconnected when their logon hours expire. |
| ☐ | SV-225477r569185_rule | The service principal name (SPN) target name validation level must be turned off. |
| ☐ | SV-225478r569185_rule | Automatic logons must be disabled. |
| ☐ | SV-225479r569185_rule | IPv6 source routing must be configured to the highest protection level. |
| ☐ | SV-225480r569185_rule | The system must be configured to prevent IP source routing. |
| ☐ | SV-225481r569185_rule | The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. |
| ☐ | SV-225482r569185_rule | The system must be configured to limit how often keep-alive packets are sent. |
| ☐ | SV-225483r569185_rule | IPSec Exemptions must be limited. |
| ☐ | SV-225484r569185_rule | The system must be configured to ignore NetBIOS name release requests except from WINS servers. |
| ☐ | SV-225485r569185_rule | The system must be configured to disable the Internet Router Discovery Protocol (IRDP). |
| ☐ | SV-225486r569185_rule | The system must be configured to use Safe DLL Search Mode. |
| ☐ | SV-225487r569185_rule | The system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active. |
| ☐ | SV-225488r569185_rule | IPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted. |
| ☐ | SV-225489r569185_rule | The system must limit how many times unacknowledged TCP data is retransmitted. |
| ☐ | SV-225490r569185_rule | The system must generate an audit event when the audit log reaches a percentage of full threshold. |
| ☐ | SV-225491r569185_rule | Anonymous SID/Name translation must not be allowed. |
| ☐ | SV-225492r569185_rule | Anonymous enumeration of SAM accounts must not be allowed. |
| ☐ | SV-225493r569185_rule | Anonymous enumeration of shares must be restricted. |
| ☐ | SV-225494r569185_rule | The system must be configured to prevent anonymous users from having the same rights as the Everyone group. |
| ☐ | SV-225495r569185_rule | Named pipes that can be accessed anonymously must be configured to contain no values on member servers. |
| ☐ | SV-225496r569185_rule | Unauthorized remotely accessible registry paths must not be configured. |
| ☐ | SV-225497r569185_rule | Unauthorized remotely accessible registry paths and sub-paths must not be configured. |
| ☐ | SV-225498r569185_rule | Anonymous access to Named Pipes and Shares must be restricted. |
| ☐ | SV-225499r569185_rule | Network shares that can be accessed anonymously must not be allowed. |
| ☐ | SV-225500r569185_rule | The system must be configured to use the Classic security model. |
| ☐ | SV-225501r569185_rule | Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. |
| ☐ | SV-225502r569185_rule | NTLM must be prevented from falling back to a Null session. |
| ☐ | SV-225503r569185_rule | PKU2U authentication using online identities must be prevented. |
| ☐ | SV-225504r569185_rule | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. |
| ☐ | SV-225505r569185_rule | The system must be configured to prevent the storage of the LAN Manager hash of passwords. |
| ☐ | SV-225506r569185_rule | The system must be configured to force users to log off when their allowed logon hours expire. |
| ☐ | SV-225507r569185_rule | The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. |
| ☐ | SV-225508r569185_rule | The system must be configured to the required LDAP client signing level. |
| ☐ | SV-225509r569185_rule | The system must be configured to meet the minimum session security requirement for NTLM SSP-based clients. |
| ☐ | SV-225510r569185_rule | The system must be configured to meet the minimum session security requirement for NTLM SSP-based servers. |
| ☐ | SV-225511r569185_rule | The shutdown option must not be available from the logon dialog box. |
| ☐ | SV-225512r569185_rule | The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. |
| ☐ | SV-225513r569185_rule | The system must be configured to require case insensitivity for non-Windows subsystems. |
| ☐ | SV-225514r569185_rule | The default permissions of global system objects must be increased. |
| ☐ | SV-225515r569185_rule | User Account Control approval mode for the built-in Administrator must be enabled. |
| ☐ | SV-225516r569185_rule | User Account Control must, at minimum, prompt administrators for consent. |
| ☐ | SV-225517r569185_rule | User Account Control must automatically deny standard user requests for elevation. |
| ☐ | SV-225518r569185_rule | User Account Control must be configured to detect application installations and prompt for elevation. |
| ☐ | SV-225519r569185_rule | Windows must elevate all applications in User Account Control, not just signed ones. |
| ☐ | SV-225520r569185_rule | User Account Control must only elevate UIAccess applications that are installed in secure locations. |
| ☐ | SV-225521r569185_rule | User Account Control must run all administrators in Admin Approval Mode, enabling UAC. |
| ☐ | SV-225522r569185_rule | User Account Control must switch to the secure desktop when prompting for elevation. |
| ☐ | SV-225523r569185_rule | User Account Control must virtualize file and registry write failures to per-user locations. |
| ☐ | SV-225524r569185_rule | UIAccess applications must not be allowed to prompt for elevation without using the secure desktop. |
| ☐ | SV-225525r569185_rule | Optional Subsystems must not be permitted to operate on the system. |
| ☐ | SV-225526r569185_rule | The print driver installation privilege must be restricted to administrators. |
| ☐ | SV-225527r569185_rule | Users must be required to enter a password to access private keys stored on the computer. |
| ☐ | SV-225528r569185_rule | The Fax service must be disabled if installed. |
| ☐ | SV-225529r569185_rule | The Microsoft FTP service must not be installed unless required. |
| ☐ | SV-225530r569185_rule | The Peer Networking Identity Manager service must be disabled if installed. |
| ☐ | SV-225531r569185_rule | The Simple TCP/IP Services service must be disabled if installed. |
| ☐ | SV-225532r569185_rule | The Telnet service must be disabled if installed. |
| ☐ | SV-225533r569185_rule | The Smart Card Removal Policy service must be configured to automatic. |
| ☐ | SV-225534r569185_rule | A screen saver must be enabled on the system. |
| ☐ | SV-225535r569185_rule | The screen saver must be password protected. |
| ☐ | SV-225536r569185_rule | Notifications from Windows Push Network Service must be turned off. |
| ☐ | SV-225537r569185_rule | Toast notifications to the lock screen must be turned off. |
| ☐ | SV-225538r569185_rule | The Windows Help Experience Improvement Program must be disabled. |
| ☐ | SV-225539r569185_rule | Windows Help Ratings feedback must be turned off. |
| ☐ | SV-225540r569185_rule | Zone information must be preserved when saving attachments. |
| ☐ | SV-225541r569185_rule | Mechanisms for removing zone information from file attachments must be hidden. |
| ☐ | SV-225542r569185_rule | The system must notify antivirus when file attachments are opened. |
| ☐ | SV-225543r569185_rule | Users must be prevented from sharing files in their profiles. |
| ☐ | SV-225544r569185_rule | Media Player must be configured to prevent automatic Codec downloads. |
| ☐ | SV-225545r569185_rule | The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. |
| ☐ | SV-225546r569185_rule | The Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers. |
| ☐ | SV-225547r569185_rule | The Act as part of the operating system user right must not be assigned to any groups or accounts. |
| ☐ | SV-225548r569185_rule | The Allow log on locally user right must only be assigned to the Administrators group. |
| ☐ | SV-225549r569185_rule | The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group and other approved groups. |
| ☐ | SV-225550r569185_rule | The Back up files and directories user right must only be assigned to the Administrators group. |
| ☐ | SV-225551r569185_rule | The Create a pagefile user right must only be assigned to the Administrators group. |
| ☐ | SV-225552r569185_rule | The Create a token object user right must not be assigned to any groups or accounts. |
| ☐ | SV-225553r569185_rule | The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
| ☐ | SV-225554r569185_rule | The Create permanent shared objects user right must not be assigned to any groups or accounts. |
| ☐ | SV-225555r569185_rule | The Create symbolic links user right must only be assigned to the Administrators group. |
| ☐ | SV-225556r569185_rule | The Debug programs user right must only be assigned to the Administrators group. |
| ☐ | SV-225557r569185_rule | The Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems. |
| ☐ | SV-225558r569185_rule | The Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems. |
| ☐ | SV-225559r569185_rule | The Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right. |
| ☐ | SV-225560r569185_rule | The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems. |
| ☐ | SV-225561r569185_rule | The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems, and from unauthenticated access on all systems. |
| ☐ | SV-225562r569185_rule | Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on member servers. |
| ☐ | SV-225563r569185_rule | The Force shutdown from a remote system user right must only be assigned to the Administrators group. |
| ☐ | SV-225564r569185_rule | The Generate security audits user right must only be assigned to Local Service and Network Service. |
| ☐ | SV-225565r569185_rule | The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
| ☐ | SV-225566r569185_rule | The Increase scheduling priority user right must only be assigned to the Administrators group. |
| ☐ | SV-225567r569185_rule | The Load and unload device drivers user right must only be assigned to the Administrators group. |
| ☐ | SV-225568r569185_rule | The Lock pages in memory user right must not be assigned to any groups or accounts. |
| ☐ | SV-225569r569185_rule | The Manage auditing and security log user right must only be assigned to the Administrators group. |
| ☐ | SV-225570r569185_rule | The Modify firmware environment values user right must only be assigned to the Administrators group. |
| ☐ | SV-225571r569185_rule | The Perform volume maintenance tasks user right must only be assigned to the Administrators group. |
| ☐ | SV-225572r569185_rule | The Profile single process user right must only be assigned to the Administrators group. |
| ☐ | SV-225573r569185_rule | The Restore files and directories user right must only be assigned to the Administrators group. |
| ☐ | SV-225574r569185_rule | The Take ownership of files or other objects user right must only be assigned to the Administrators group. |
STIGQter: STIG Summary: