STIGQter STIGQter: STIG Summary: Windows 2008 Domain Controller Security Technical Implementation Guide

Version: 6

Release: 44 Benchmark Date: 26 Jul 2019

CheckedNameTitle
SV-29619r1_rulePhysical security of the Automated Information System (AIS) does not meet DISA requirements.
SV-29623r2_ruleShared user accounts must not be permitted on the system.
SV-29338r2_ruleSystems must be at supported service packs (SP) or releases levels.
SV-29470r5_ruleThe Windows 2008 system must use an anti-virus program.
SV-29591r1_ruleThe system allows shutdown from the logon dialog box.
SV-29627r1_ruleSystem information backups are not created, updated, and protected according to DISA requirements.
SV-29201r2_rulePermissions for event logs must conform to minimum requirements.
SV-29478r1_ruleLocal volumes are not formatted using NTFS.
SV-29634r4_ruleThe required legal notice must be configured to display before console logon.
SV-28979r3_ruleCaching of logon credentials must be limited.
SV-28983r1_ruleAnonymous shares are not restricted.
SV-28987r1_ruleNumber of allowed bad-logon attempts does not meet minimum requirements.
SV-29639r2_ruleThe reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008.
SV-29643r2_ruleWindows 2008 account lockout duration must be configured to 15 minutes or greater.
SV-28991r1_ruleUnauthorized users are granted right to Act as part of the operating system.
SV-18394r4_ruleUser rights assignments must meet minimum requirements.
SV-29647r1_ruleMaximum password age does not meet minimum requirements.
SV-28995r1_ruleMinimum password age does not meet minimum requirements.
SV-29652r2_ruleThe password history must be configured to 24 passwords remembered.
SV-29482r3_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-29657r1_ruleThe built-in guest account is not disabled.
SV-29485r1_ruleThe built-in guest account has not been renamed.
SV-28998r1_ruleThe built-in administrator account has not been renamed.
SV-29488r2_ruleWindows event log sizes must meet minimum requirements.
SV-29664r1_ruleBooting into alternate operating systems is permitted.
SV-29493r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
SV-29497r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
SV-29501r1_ruleThe system configuration is not set with a password-protected screen saver.
SV-16948r2_ruleThe Recycle Bin on a server must be configured to immediately delete files.
SV-47874r1_ruleOnly administrators responsible for the system must have Administrator rights on the system.
SV-29669r2_ruleSecurity configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
SV-29507r1_ruleACLs for system files and directories do not conform to minimum requirements.
SV-16949r1_rulePrinter share permissions are not configured as recommended.
SV-29001r2_ruleUsers must be forcibly disconnected when their logon hours expire.
SV-29681r2_ruleUsers with Administrative privilege are not documented or do not have separate accounts for administrative duties and normal operational tasks.
SV-29004r2_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-29007r2_ruleAutomatic logons must be disabled.
SV-29685r2_ruleThe built-in Windows password complexity policy must be enabled.
SV-29010r1_rulePrint driver installation privilege is not restricted to administrators.
SV-29595r3_ruleAnonymous access to the registry must be restricted.
SV-29013r1_ruleThe Send download LanMan compatible password option is not set to Send NTLMv2 response only\refuse LM.
SV-29016r1_ruleCtrl+Alt+Del security attention sequence is Disabled.
SV-47871r1_ruleThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
SV-28472r1_ruleThe Smart Card removal option is set to take no action.
SV-29027r1_ruleThe Windows SMB server is not enabled to perform SMB packet signing when possible.
SV-29515r1_ruleOutgoing secure channel traffic is not encrypted when possible.
SV-29518r1_ruleOutgoing secure channel traffic is not signed when possible.
SV-29030r1_ruleThe computer account password is prevented from being reset.
SV-29033r1_ruleThe Windows SMB client is not enabled to perform SMB packet signing when possible.
SV-29522r2_ruleMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-29217r1_ruleEjection of removable NTFS media is not restricted to Administrators.
SV-29220r1_ruleUsers are not warned in advance that their passwords will expire.
SV-29223r1_ruleThe default permissions of Global system objects are not increased.
SV-29226r2_ruleThe amount of idle time required before suspending a session must be properly set.
SV-29689r1_ruleReversible password encryption is not disabled.
SV-28493r1_ruleThe Server Operators group must have the ability to schedule jobs by means of the AT command disabled.
SV-29526r1_ruleThe system is configured to autoplay removable media.
SV-28494r2_ruleKerberos user logon restrictions must be enforced.
SV-28497r2_ruleThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
SV-28499r2_ruleThe Kerberos user ticket lifetime must be limited to 10 hours or less.
SV-28501r2_ruleThe Kerberos user ticket renewal maximum lifetime must be limited to 7 days or less.
SV-28505r2_ruleThe computer clock synchronization tolerance must be limited to 5 minutes or less.
SV-29692r1_ruleSystem files are not checked for unauthorized changes.
SV-29696r1_ruleUnencrypted remote access is permitted to system services.
SV-29213r2_ruleFile share permissions must be configured to remove the Everyone group.
SV-29699r1_ruleA Server does not have a host-based Intrusion Detection System.
SV-29702r2_ruleAnonymous SID/Name translation must not be allowed.
SV-16933r1_ruleUnauthorized named pipes are accessible with anonymous credentials.
SV-28589r1_ruleUnauthorized registry paths are remotely accessible.
SV-29704r1_ruleUnauthorized shares can be accessed anonymously.
SV-29230r1_ruleSolicited Remote Assistance is allowed.
SV-29234r1_ruleThe use of local accounts with blank passwords is not restricted to console logons only.
SV-29239r1_ruleThe user is allowed to launch Windows Messenger (MSN Messenger, .NET Messenger).
SV-29244r1_ruleWindows Messenger (MSN Messenger, .NET messenger) is run at system startup.
SV-29708r1_ruleThe system can be removed from the docking station without logging on first.
SV-29247r1_ruleThe maximum age for machine account passwords is not set to requirements.
SV-29251r1_ruleThe system is not configured to require a strong session key.
SV-29259r1_ruleThe system is configured to permit storage of credentials or .NET Passports.
SV-29264r1_ruleThe system is configured to give anonymous users Everyone rights.
SV-29267r1_ruleThe system is not configured to use the Classic security model.
SV-29270r1_ruleThe system is configured to store the LAN Manager hash of the password in the SAM.
SV-29273r1_ruleThe system is not configured to recommended LDAP client signing requirements.
SV-29530r1_ruleThe system is not configured to meet the minimum requirement for session security for NTLM SSP based Clients.
SV-29533r1_ruleThe system is not configured to use FIPS compliant Algorithms for Encryption, Hashing, and Signing.
SV-29536r2_ruleThe system must be configured to require case insensitivity for non-Windows subsystems.
SV-16938r1_ruleTerminal Services is not configured to limit users to one remote session (Terminal Server Role)
SV-16953r2_ruleTerminal Services is not configured with the client connection encryption set to the required level.
SV-29101r1_ruleTerminal Services is configured to use a common temporary folder for all sessions (Terminal Server Role).
SV-29103r1_ruleTerminal Services is not configured to delete temporary folders (Terminal Server Role).
SV-29606r2_ruleThe system is configured to prevent background refresh of Group Policy.
SV-29283r1_ruleThe system is configured to allow unsolicited remote assistance offers.
SV-29539r2_ruleThe time service must synchronize with an appropriate DoD time source.
SV-29718r1_ruleThe system is not configured to use Safe DLL Search Mode.
SV-40097r2_ruleMedia Player must be configured to prevent automatic checking for updates.
SV-29721r1_ruleMedia Player is configured to allow automatic CODEC downloads.
SV-16965r1_ruleUnnecessary services are not disabled.
SV-29723r2_ruleThere is no local policy for reviewing audit logs.
SV-29357r1_ruleThe system is not configured to meet the minimum requirement for session security for NTLM SSP based Servers.
SV-29727r1_ruleSecurity-related Software Patches are not applied.
SV-29730r2_ruleThe system must generate an audit event when the audit log reaches a percentage of full threshold.
SV-29361r1_ruleThe system is configured to allow IP source routing.
SV-29364r1_ruleThe system is configured to redirect ICMP.
SV-29367r1_ruleThe system is configured to detect and configure default gateway addresses.
SV-29610r1_ruleThe system is configured for a greater keep-alive time than recommended.
SV-29370r2_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-41837r2_ruleDomain Controllers must require LDAP signing.
SV-41844r1_ruleThe domain controller must be configured to allow reset of machine account passwords.
SV-29373r2_ruleThe system must limit how many times unacknowledged TCP data is retransmitted.
SV-29376r1_ruleThis check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.
SV-29732r1_ruleUnauthorized registry paths and sub-paths are remotely accessible.
SV-29733r3_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-29734r1_ruleOptional Subsystems are permitted to operate on the system.
SV-29735r1_ruleSoftware certificate restriction policies are not enforced.
SV-16952r1_ruleThe Terminal Server does not require secure RPC communication (Terminal Server Role).
SV-29379r2_ruleGroup Policy objects are not reprocessed if they have not changed.
SV-29382r1_ruleOutgoing secure channel traffic is not encrypted or signed.
SV-29385r1_ruleThe Windows Server SMB client is not enabled to always perform SMB packet signing.
SV-29392r1_ruleThe Windows Server SMB server is not enabled to always perform SMB packet signing.
SV-29545r1_ruleNamed Pipes and Shares can be accessed anonymously.
SV-29389r2_ruleFor systems utilizing a logon ID as the individual identifier, passwords must be a minimum of 14 characters in length.
SV-29396r2_ruleWindows 2008 passwords must be configured to expire.
SV-51984r2_ruleAuditing records must be configured as required.
SV-29549r2_ruleWindows 2008 accounts must be configured to require passwords.
SV-34432r5_ruleActive Directory data files must have proper access control permissions.
SV-31551r2_ruleData files owned by users must be on a different logical partition from the directory server data files.
SV-31548r2_ruleTime synchronization must be enabled on the domain controller.
SV-8819r2_ruleThe time synchronization tool must be configured to enable logging of time source switching.
SV-31550r2_ruleThe directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
SV-31553r2_ruleWindows services that are critical for directory server operation must be configured for automatic startup.
SV-29400r1_ruleThe system is configured to allow the display of the last user name on the logon screen.
SV-54938r1_ruleThe Synchronize directory service data user right must be configured to include no accounts or groups (blank).
SV-29750r2_ruleThe Windows 2008 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
SV-29752r2_ruleAudit data must be retained for at least one year.
SV-29402r2_ruleAuditing Access of Global System Objects must be turned off.
SV-29404r1_ruleAudit of Backup and Restore Privileges is not turned off.
SV-29550r1_ruleAudit policy using subcategories is enabled.
SV-16835r1_ruleIPSec Exemptions are limited.
SV-29551r1_ruleUser Account Control - Built In Admin Approval Mode
SV-14846r2_ruleUser Account Control must, at minimum, prompt administrators for consent.
SV-28479r1_ruleUser Account Control - Behavior of elevation prompt for standard users.
SV-29552r1_ruleUser Account Control - Detect Application Installations
SV-29553r1_ruleUser Account Control - Elevate UIAccess applications that are in secure locations
SV-29099r1_ruleUser Account Control - Run all admins in Admin Approval Mode
SV-29554r1_ruleUser Account Control - Switch to secure desktop
SV-29555r1_ruleUser Account Control - Non UAC Compliant Application Virtualization
SV-29556r2_ruleAdministrator accounts must not be enumerated during elevation.
SV-29406r1_ruleTerminal Services / Remote Desktop Service - Prevent password saving in the Remote Desktop Client
SV-29198r1_ruleTerminal Services / Remote Desktop Services - Local drives prevented from sharing with Terminal Servers (Terminal Server Role).
SV-29413r1_ruleFile and Folder Publish to Web option unavailable.
SV-29416r1_ruleWeb Publishing and online ordering wizards prevented from downloading list of providers.
SV-29418r1_ruleWindows Messenger prevented from collecting anonymous information.
SV-29420r1_ruleSearch Companion prevented from automatically downloading content updates.
SV-29422r1_rulePrevent printing over HTTP.
SV-29424r1_ruleComputer prevented from downloading print driver packages over HTTP.
SV-29426r1_ruleWindows is prevented from using Windows Update to search for drivers.
SV-29754r1_rulePreserve Zone information when saving attachments.
SV-29756r1_ruleHide mechanism for removing Zone information from file attachments.
SV-29758r1_ruleNotify antivirus when file attachments are opened.
SV-29337r2_ruleApplication account passwords must meet DoD requirements for length, complexity and changes.
SV-54941r2_ruleSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
SV-51992r1_ruleAnonymous access to the root DSE of a non-public directory must be disabled.
SV-51995r1_ruleDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
SV-54945r1_ruleDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-51991r1_ruleThe directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
SV-28512r3_ruleActive directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
SV-29560r3_ruleThe HBSS McAfee Agent must be installed.
SV-29428r1_ruleWindows Peer to Peer Networking
SV-29430r1_ruleProhibit Network Bridge in Windows
SV-21932r2_ruleEvent Viewer Events.asp links must be turned off.
SV-29437r1_ruleInternet Connection Wizard ISP Downloads
SV-29439r1_ruleDisable Internet File Association Service
SV-29441r1_ruleWindows Registration Wizard
SV-29614r1_ruleOrder Prints Online
SV-29443r1_ruleWindows Movie Maker Codec Downloads
SV-29445r1_ruleWindows Movie Maker Web Links
SV-29447r1_ruleWindows Movie Maker Online Hosting
SV-29451r2_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-29453r1_ruleWindows Explorer – Shell Protocol Protected Mode
SV-29455r1_ruleWindows Installer – IE Security Prompt
SV-29457r1_ruleWindows Installer – User Control
SV-29459r1_ruleWindows Installer – Vendor Signed Updates
SV-29461r1_ruleMedia Player – First Use Dialog Boxes
SV-29561r1_ruleNetwork – Mapper I/O Driver
SV-29562r1_ruleNetwork – Responder Driver
SV-29759r1_ruleNetwork – Windows Connect Now Wireless Configuration
SV-29563r1_ruleNetwork – Windows Connect Now Wizards
SV-29564r1_ruleDriver Install – Device Driver Search Prompt
SV-28517r1_rulePower Mgmt – Password Wake on Battery (Only applicable to 2008 if installed on a laptop.)
SV-28519r1_rulePower Mgmt – Password Wake When Plugged In (Only applicable to 2008 if installed on a laptop.)
SV-29565r1_ruleRemote Assistance – Session Logging
SV-29566r1_ruleOnline Assistance – Untrusted Content
SV-29567r1_ruleSearch – Encrypted Files Indexing
SV-29572r1_ruleDefender – SpyNet Reporting
SV-29576r2_ruleWindows Explorer – Heap Termination
SV-29578r1_ruleWindows Mail – Communities
SV-29579r1_ruleWindows Mail – Disable Application
SV-29580r1_ruleMedia DRM – Internet Access
SV-29760r1_ruleUser Network Sharing
SV-29465r2_ruleSoftware certificate installation files must be removed from Windows 2008.
SV-16934r1_ruleUAC - Allow UIAccess applications to prompt for elevation without using the secure desktop
SV-16941r1_ruleTerminal Services – Prevent COM Port Redirection (Terminal Server Role).
SV-16942r1_ruleTerminal Services – Prevent LPT Port Redirection (Terminal Server Role).
SV-16943r1_ruleTerminal Services – Prevent Plug and Play Device Redirection (Terminal Server Role).
SV-16944r1_ruleTerminal Services – Smart Card Device Redirection Enabled (Terminal Server Role).
SV-16945r1_ruleTerminal Services – Default Only Client Printer Redirection (Terminal Server Role).
SV-16960r1_ruleUAC - Application Elevations
SV-29581r1_ruleWindows Customer Experience Improvement Program is disabled.
SV-29761r1_ruleHelp Experience Improvement Program is disabled.
SV-29762r1_ruleDisable Help Ratings feed back.
SV-29585r1_ruleDisallow AutoPlay/Autorun from Autorun.inf
SV-29589r1_ruleUnapproved Users have access to Debug programs.
SV-33308r3_ruleStandard user accounts must only have Read permissions to the Winlogon registry key.
SV-34591r2_ruleThe Windows dialog box title for the legal banner must be configured.
SV-47114r1_ruleThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
SV-47125r1_ruleThe Deny log on as a service user right must be configured to include no accounts or groups (blank).
SV-47107r1_ruleThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
SV-47143r1_ruleThe Deny log on through Terminal Services user right on domain controllers must be configured to prevent unauthenticated access.
SV-83307r1_ruleThe Fax service must be disabled if installed.
SV-83309r2_ruleThe Microsoft FTP service must not be installed unless required.
SV-83311r1_ruleThe Peer Networking Identity Manager service must be disabled if installed.
SV-83313r1_ruleThe Simple TCP/IP Services service must be disabled if installed.
SV-83315r1_ruleThe Telnet service must be disabled if installed.
SV-33885r4_rulePKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-34410r2_ruleFile Replication Service (FRS) directory data files must have proper access control permissions.
SV-39858r2_ruleThe Active Directory SYSVOL directory must have the proper access control permissions.
SV-42594r6_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-42605r8_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-42617r2_ruleStandard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
SV-44096r4_ruleActive Directory Group Policy objects must have proper access control permissions.
SV-46218r1_ruleThe Windows Installer Always install with elevated privileges must be disabled.
SV-47864r2_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-55016r3_ruleActive Directory Group Policy objects must be configured with proper audit settings.
SV-55057r1_ruleThe Active Directory Domain object must be configured with proper audit settings.
SV-55060r1_ruleThe Active Directory Infrastructure object must be configured with proper audit settings.
SV-55063r1_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
SV-55066r1_ruleThe Active Directory AdminSDHolder object must be configured with proper audit settings.
SV-55069r1_ruleThe Active Directory RID Manager$ object must be configured with proper audit settings.
SV-56717r2_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
SV-56718r1_ruleDomain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
SV-52394r5_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-88183r1_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-88195r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-90599r1_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2008.
SV-101875r1_ruleThe password for the krbtgt account on a domain must be reset at least every 180 days.