STIGQter STIGQter: STIG Summary:

Microsoft Windows Server 2016 Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 04 May 2021

CheckedNameTitle
SV-224819r569186_ruleUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
SV-224820r569186_rulePasswords for the built-in Administrator account must be changed at least every 60 days.
SV-224821r569186_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-224822r569186_ruleMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-224823r569186_ruleManually managed application account passwords must be at least 15 characters in length.
SV-224824r569186_ruleManually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
SV-224825r569186_ruleShared user accounts must not be permitted on the system.
SV-224826r569186_ruleWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-224827r569186_ruleWindows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
SV-224828r569186_ruleSystems must be maintained at a supported servicing level.
SV-224829r569237_ruleThe Windows Server 2016 system must use an anti-virus program.
SV-224830r569186_ruleServers must have a host-based intrusion detection or prevention system.
SV-224831r569186_ruleLocal volumes must use a format that supports NTFS attributes.
SV-224832r569186_rulePermissions for the system drive root directory (usually C:\) must conform to minimum requirements.
SV-224833r569186_rulePermissions for program file directories must conform to minimum requirements.
SV-224834r569186_rulePermissions for the Windows installation directory must conform to minimum requirements.
SV-224835r569186_ruleDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
SV-224836r569186_ruleNon-administrative accounts or groups must only have print permissions on printer shares.
SV-224837r569186_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-224838r569186_ruleWindows Server 2016 accounts must require passwords.
SV-224839r569186_rulePasswords must be configured to expire.
SV-224840r569239_ruleSystem files must be monitored for unauthorized changes.
SV-224841r569186_ruleNon-system-created file shares on a system must limit access to groups that require it.
SV-224842r569186_ruleSoftware certificate installation files must be removed from Windows Server 2016.
SV-224843r569186_ruleSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
SV-224844r569186_ruleProtection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
SV-224845r569186_ruleThe roles and features required by the system must be documented.
SV-224846r569186_ruleA host-based firewall must be installed and enabled on the system.
SV-224847r569186_ruleWindows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-224848r569186_ruleWindows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
SV-224849r569186_ruleWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-224850r569186_ruleThe Fax Server role must not be installed.
SV-224851r569186_ruleThe Microsoft FTP service must not be installed unless required.
SV-224852r569186_ruleThe Peer Name Resolution Protocol must not be installed.
SV-224853r569186_ruleSimple TCP/IP Services must not be installed.
SV-224854r569186_ruleThe Telnet Client must not be installed.
SV-224855r569186_ruleThe TFTP Client must not be installed.
SV-224856r569186_ruleThe Server Message Block (SMB) v1 protocol must be uninstalled.
SV-224857r569186_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-224858r569186_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-224859r569186_ruleWindows PowerShell 2.0 must not be installed.
SV-224860r569186_ruleFTP servers must be configured to prevent anonymous logons.
SV-224861r569186_ruleFTP servers must be configured to prevent access to the system drive.
SV-224862r569186_ruleThe time service must synchronize with an appropriate DoD time source.
SV-224863r569186_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
SV-224864r569186_ruleSecure Boot must be enabled on Windows Server 2016 systems.
SV-224865r569186_ruleWindows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
SV-224866r569186_ruleWindows 2016 account lockout duration must be configured to 15 minutes or greater.
SV-224867r569186_ruleWindows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
SV-224868r569186_ruleWindows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
SV-224869r569186_ruleWindows Server 2016 password history must be configured to 24 passwords remembered.
SV-224870r569186_ruleWindows Server 2016 maximum password age must be configured to 60 days or less.
SV-224871r569186_ruleWindows Server 2016 minimum password age must be configured to at least one day.
SV-224872r569186_ruleWindows Server 2016 minimum password length must be configured to 14 characters.
SV-224873r569186_ruleWindows Server 2016 must have the built-in Windows password complexity policy enabled.
SV-224874r569186_ruleWindows Server 2016 reversible password encryption must be disabled.
SV-224875r569186_ruleAudit records must be backed up to a different system or media than the system being audited.
SV-224876r569186_ruleWindows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
SV-224877r569186_rulePermissions for the Application event log must prevent access by non-privileged accounts.
SV-224878r569186_rulePermissions for the Security event log must prevent access by non-privileged accounts.
SV-224879r569186_rulePermissions for the System event log must prevent access by non-privileged accounts.
SV-224880r569186_ruleEvent Viewer must be protected from unauthorized modification and deletion.
SV-224881r569186_ruleWindows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
SV-224882r569186_ruleWindows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
SV-224883r569186_ruleWindows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
SV-224884r569186_ruleWindows Server 2016 must be configured to audit Account Management - Security Group Management successes.
SV-224885r569186_ruleWindows Server 2016 must be configured to audit Account Management - User Account Management successes.
SV-224886r569186_ruleWindows Server 2016 must be configured to audit Account Management - User Account Management failures.
SV-224887r569186_ruleWindows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
SV-224888r569186_ruleWindows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
SV-224889r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-224890r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-224891r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.
SV-224892r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
SV-224893r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
SV-224894r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
SV-224895r569186_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
SV-224896r569186_ruleWindows 2016 must be configured to audit Object Access - Other Object Access Events successes.
SV-224897r569186_ruleWindows 2016 must be configured to audit Object Access - Other Object Access Events failures.
SV-224898r569186_ruleWindows Server 2016 must be configured to audit Object Access - Removable Storage successes.
SV-224899r569186_ruleWindows Server 2016 must be configured to audit Object Access - Removable Storage failures.
SV-224900r569186_ruleWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
SV-224901r569186_ruleWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
SV-224902r569186_ruleWindows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
SV-224903r569186_ruleWindows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
SV-224904r569186_ruleWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-224905r569186_ruleWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-224906r569186_ruleWindows Server 2016 must be configured to audit System - IPsec Driver successes.
SV-224907r569186_ruleWindows Server 2016 must be configured to audit System - IPsec Driver failures.
SV-224908r569186_ruleWindows Server 2016 must be configured to audit System - Other System Events successes.
SV-224909r569186_ruleWindows Server 2016 must be configured to audit System - Other System Events failures.
SV-224910r569186_ruleWindows Server 2016 must be configured to audit System - Security State Change successes.
SV-224911r569186_ruleWindows Server 2016 must be configured to audit System - Security System Extension successes.
SV-224912r569186_ruleWindows Server 2016 must be configured to audit System - System Integrity successes.
SV-224913r569186_ruleWindows Server 2016 must be configured to audit System - System Integrity failures.
SV-224914r569186_ruleThe display of slide shows on the lock screen must be disabled.
SV-224915r569186_ruleWDigest Authentication must be disabled on Windows Server 2016.
SV-224916r569186_ruleInternet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
SV-224917r569186_ruleSource routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
SV-224918r569186_ruleWindows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
SV-224919r569186_ruleWindows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-224920r569186_ruleInsecure logons to an SMB server must be disabled.
SV-224921r569186_ruleHardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
SV-224922r569186_ruleCommand line data must be included in process creation events.
SV-224923r569186_ruleWindows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
SV-224924r569186_ruleEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
SV-224925r569186_ruleGroup Policy objects must be reprocessed even if they have not changed.
SV-224926r569186_ruleDownloading print driver packages over HTTP must be prevented.
SV-224927r569186_rulePrinting over HTTP must be prevented.
SV-224928r569186_ruleThe network selection user interface (UI) must not be displayed on the logon screen.
SV-224929r569186_ruleUsers must be prompted to authenticate when the system wakes from sleep (on battery).
SV-224930r569186_ruleUsers must be prompted to authenticate when the system wakes from sleep (plugged in).
SV-224931r569186_ruleThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-224932r569186_ruleAutoPlay must be turned off for non-volume devices.
SV-224933r569186_ruleThe default AutoRun behavior must be configured to prevent AutoRun commands.
SV-224934r569186_ruleAutoPlay must be disabled for all drives.
SV-224935r569186_ruleAdministrator accounts must not be enumerated during elevation.
SV-224936r569186_ruleWindows Telemetry must be configured to Security or Basic.
SV-224937r569186_ruleThe Application event log size must be configured to 32768 KB or greater.
SV-224938r569186_ruleThe Security event log size must be configured to 196608 KB or greater.
SV-224939r569186_ruleThe System event log size must be configured to 32768 KB or greater.
SV-224940r569186_ruleWindows Server 2016 Windows SmartScreen must be enabled.
SV-224941r569186_ruleExplorer Data Execution Prevention must be enabled.
SV-224942r569186_ruleTurning off File Explorer heap termination on corruption must be disabled.
SV-224943r569186_ruleFile Explorer shell protocol must run in protected mode.
SV-224944r569186_rulePasswords must not be saved in the Remote Desktop Client.
SV-224945r569186_ruleLocal drives must be prevented from sharing with Remote Desktop Session Hosts.
SV-224946r569186_ruleRemote Desktop Services must always prompt a client for passwords upon connection.
SV-224947r569186_ruleThe Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
SV-224948r569186_ruleRemote Desktop Services must be configured with the client connection encryption set to High Level.
SV-224949r569186_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-224951r569186_ruleBasic authentication for RSS feeds over HTTP must not be used.
SV-224952r569186_ruleIndexing of encrypted files must be turned off.
SV-224953r569186_ruleUsers must be prevented from changing installation options.
SV-224954r569186_ruleThe Windows Installer Always install with elevated privileges option must be disabled.
SV-224955r569186_ruleUsers must be notified if a web-based program attempts to install software.
SV-224956r569186_ruleAutomatically signing in the last interactive user after a system-initiated restart must be disabled.
SV-224957r569186_rulePowerShell script block logging must be enabled.
SV-224958r569186_ruleThe Windows Remote Management (WinRM) client must not use Basic authentication.
SV-224959r569186_ruleThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-224960r569186_ruleThe Windows Remote Management (WinRM) client must not use Digest authentication.
SV-224961r569186_ruleThe Windows Remote Management (WinRM) service must not use Basic authentication.
SV-224962r569186_ruleThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-224963r569186_ruleThe Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-224964r569186_ruleOnly administrators responsible for the domain controller must have Administrator rights on the system.
SV-224965r569186_ruleKerberos user logon restrictions must be enforced.
SV-224966r569186_ruleThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
SV-224967r569186_ruleThe Kerberos user ticket lifetime must be limited to 10 hours or less.
SV-224968r569186_ruleThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
SV-224969r569186_ruleThe computer clock synchronization tolerance must be limited to 5 minutes or less.
SV-224970r569186_rulePermissions on the Active Directory data files must only allow System and Administrators access.
SV-224971r569186_ruleThe Active Directory SYSVOL directory must have the proper access control permissions.
SV-224972r569186_ruleActive Directory Group Policy objects must have proper access control permissions.
SV-224973r569186_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
SV-224974r569186_ruleDomain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
SV-224975r569186_ruleData files owned by users must be on a different logical partition from the directory server data files.
SV-224976r569186_ruleDomain controllers must run on a machine dedicated to that function.
SV-224977r569186_ruleSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
SV-224978r569186_ruleDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
SV-224979r569186_ruleThe directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
SV-224980r569186_ruleActive Directory Group Policy objects must be configured with proper audit settings.
SV-224981r569186_ruleThe Active Directory Domain object must be configured with proper audit settings.
SV-224982r569186_ruleThe Active Directory Infrastructure object must be configured with proper audit settings.
SV-224983r569186_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
SV-224984r569186_ruleThe Active Directory AdminSDHolder object must be configured with proper audit settings.
SV-224985r569186_ruleThe Active Directory RID Manager$ object must be configured with proper audit settings.
SV-224986r569186_ruleWindows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
SV-224987r569186_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
SV-224988r569186_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
SV-224989r569186_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
SV-224990r569186_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.
SV-224991r569186_ruleDomain controllers must have a PKI server certificate.
SV-224992r569186_ruleDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-224993r569186_rulePKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-224994r569186_ruleActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
SV-224995r569186_ruleDomain controllers must require LDAP access signing.
SV-224996r569186_ruleDomain controllers must be configured to allow reset of machine account passwords.
SV-224997r569186_ruleThe Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
SV-224998r569186_ruleThe Add workstations to domain user right must only be assigned to the Administrators group.
SV-224999r569186_ruleThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
SV-225000r569186_ruleThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
SV-225001r569186_ruleThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
SV-225002r569186_ruleThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
SV-225003r569186_ruleThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
SV-225004r569186_ruleThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
SV-225005r569186_ruleThe Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
SV-225006r569186_ruleThe password for the krbtgt account on a domain must be reset at least every 180 days.
SV-225007r569186_ruleOnly administrators responsible for the member server or standalone system must have Administrator rights on the system.
SV-225008r569186_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-225009r569186_ruleLocal users on domain-joined computers must not be enumerated.
SV-225010r569186_ruleUnauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
SV-225011r569186_ruleCaching of logon credentials must be limited.
SV-225012r569186_ruleWindows Server 2016 must be running Credential Guard on domain-joined member servers.
SV-225013r569186_ruleRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.
SV-225014r569186_ruleThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
SV-225015r569186_ruleThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
SV-225016r569186_ruleThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
SV-225017r569186_ruleThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
SV-225018r569186_ruleThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
SV-225019r569186_ruleThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
SV-225020r569186_ruleThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.
SV-225021r569277_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-225022r569274_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-225023r569271_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-225024r569186_ruleWindows Server 2016 built-in guest account must be disabled.
SV-225025r569186_ruleLocal accounts with blank passwords must be restricted to prevent access from the network.
SV-225026r569186_ruleWindows Server 2016 built-in administrator account must be renamed.
SV-225027r569186_ruleWindows Server 2016 built-in guest account must be renamed.
SV-225028r569186_ruleAudit policy using subcategories must be enabled.
SV-225029r569186_ruleThe setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
SV-225030r569186_ruleThe setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
SV-225031r569186_ruleThe setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
SV-225032r569186_ruleThe computer account password must not be prevented from being reset.
SV-225033r569186_ruleThe maximum age for machine account passwords must be configured to 30 days or less.
SV-225034r569186_ruleWindows Server 2016 must be configured to require a strong session key.
SV-225035r569186_ruleThe machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
SV-225036r569186_ruleThe required legal notice must be configured to display before console logon.
SV-225037r569186_ruleThe Windows dialog box title for the legal banner must be configured with the appropriate text.
SV-225038r569186_ruleThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-225039r569186_ruleThe setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
SV-225040r569186_ruleThe setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
SV-225041r569186_ruleUnencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
SV-225042r569186_ruleThe setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
SV-225043r569186_ruleThe setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
SV-225044r569186_ruleAnonymous SID/Name translation must not be allowed.
SV-225045r569186_ruleAnonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
SV-225046r569186_ruleAnonymous enumeration of shares must not be allowed.
SV-225047r569186_ruleWindows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
SV-225048r569186_ruleAnonymous access to Named Pipes and Shares must be restricted.
SV-225049r569186_ruleServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
SV-225050r569186_ruleNTLM must be prevented from falling back to a Null session.
SV-225051r569186_rulePKU2U authentication using online identities must be prevented.
SV-225052r569186_ruleKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-225053r569186_ruleWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-225054r569186_ruleThe LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
SV-225055r569186_ruleWindows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
SV-225056r569186_ruleSession security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
SV-225057r569186_ruleSession security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
SV-225058r569186_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-225059r569186_ruleWindows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-225060r569186_ruleThe default permissions of global system objects must be strengthened.
SV-225061r569186_ruleUser Account Control approval mode for the built-in Administrator must be enabled.
SV-225062r569186_ruleUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
SV-225063r569186_ruleUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
SV-225064r569186_ruleUser Account Control must automatically deny standard user requests for elevation.
SV-225065r569186_ruleUser Account Control must be configured to detect application installations and prompt for elevation.
SV-225066r569186_ruleUser Account Control must only elevate UIAccess applications that are installed in secure locations.
SV-225067r569186_ruleUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-225068r569186_ruleUser Account Control must virtualize file and registry write failures to per-user locations.
SV-225069r569186_ruleZone information must be preserved when saving attachments.
SV-225070r569186_ruleThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-225071r569186_ruleThe Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-225072r569186_ruleThe Allow log on locally user right must only be assigned to the Administrators group.
SV-225073r569186_ruleThe Back up files and directories user right must only be assigned to the Administrators group.
SV-225074r569186_ruleThe Create a pagefile user right must only be assigned to the Administrators group.
SV-225076r569186_ruleThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-225077r569186_ruleThe Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-225078r569186_ruleThe Create symbolic links user right must only be assigned to the Administrators group.
SV-225079r569186_ruleThe Debug programs user right must only be assigned to the Administrators group.
SV-225080r569186_ruleThe Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-225081r569186_ruleThe Generate security audits user right must only be assigned to Local Service and Network Service.
SV-225082r569186_ruleThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-225083r569186_ruleThe Increase scheduling priority user right must only be assigned to the Administrators group.
SV-225084r569186_ruleThe Load and unload device drivers user right must only be assigned to the Administrators group.
SV-225085r569186_ruleThe Lock pages in memory user right must not be assigned to any groups or accounts.
SV-225086r569186_ruleThe Manage auditing and security log user right must only be assigned to the Administrators group.
SV-225087r569186_ruleThe Modify firmware environment values user right must only be assigned to the Administrators group.
SV-225088r569186_ruleThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-225089r569186_ruleThe Profile single process user right must only be assigned to the Administrators group.
SV-225091r569186_ruleThe Create a token object user right must not be assigned to any groups or accounts.
SV-225092r569186_ruleThe Restore files and directories user right must only be assigned to the Administrators group.
SV-225093r569186_ruleThe Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-236000r641817_ruleThe Windows Explorer Preview pane must be disabled for Windows Server 2016.