STIGQter STIGQter: STIG Summary: Windows 2008 Member Server Security Technical Implementation Guide

Version: 6

Release: 43 Benchmark Date: 26 Jul 2019

CheckedNameTitle
SV-29619r1_rulePhysical security of the Automated Information System (AIS) does not meet DISA requirements.
SV-29623r2_ruleShared user accounts must not be permitted on the system.
SV-29338r2_ruleSystems must be at supported service packs (SP) or releases levels.
SV-29470r5_ruleThe Windows 2008 system must use an anti-virus program.
SV-29591r1_ruleThe system allows shutdown from the logon dialog box.
SV-29627r1_ruleSystem information backups are not created, updated, and protected according to DISA requirements.
SV-29201r2_rulePermissions for event logs must conform to minimum requirements.
SV-29478r1_ruleLocal volumes are not formatted using NTFS.
SV-29634r4_ruleThe required legal notice must be configured to display before console logon.
SV-28979r3_ruleCaching of logon credentials must be limited.
SV-28983r1_ruleAnonymous shares are not restricted.
SV-28987r1_ruleNumber of allowed bad-logon attempts does not meet minimum requirements.
SV-29639r2_ruleThe reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008.
SV-29643r2_ruleWindows 2008 account lockout duration must be configured to 15 minutes or greater.
SV-28991r1_ruleUnauthorized users are granted right to Act as part of the operating system.
SV-18393r4_ruleUser rights assignments must meet minimum requirements.
SV-29647r1_ruleMaximum password age does not meet minimum requirements.
SV-28995r1_ruleMinimum password age does not meet minimum requirements.
SV-29652r2_ruleThe password history must be configured to 24 passwords remembered.
SV-29482r3_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-29657r1_ruleThe built-in guest account is not disabled.
SV-29485r1_ruleThe built-in guest account has not been renamed.
SV-28998r1_ruleThe built-in administrator account has not been renamed.
SV-29488r2_ruleWindows event log sizes must meet minimum requirements.
SV-29664r1_ruleBooting into alternate operating systems is permitted.
SV-29493r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
SV-29497r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
SV-29501r1_ruleThe system configuration is not set with a password-protected screen saver.
SV-16948r2_ruleThe Recycle Bin on a server must be configured to immediately delete files.
SV-29505r2_ruleOnly administrators responsible for the system must have Administrator rights on the system.
SV-29669r2_ruleSecurity configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
SV-29507r1_ruleACLs for system files and directories do not conform to minimum requirements.
SV-16949r1_rulePrinter share permissions are not configured as recommended.
SV-29001r2_ruleUsers must be forcibly disconnected when their logon hours expire.
SV-29681r2_ruleUsers with Administrative privilege are not documented or do not have separate accounts for administrative duties and normal operational tasks.
SV-29004r2_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-29007r2_ruleAutomatic logons must be disabled.
SV-29685r2_ruleThe built-in Windows password complexity policy must be enabled.
SV-29010r1_rulePrint driver installation privilege is not restricted to administrators.
SV-29595r3_ruleAnonymous access to the registry must be restricted.
SV-29013r1_ruleThe Send download LanMan compatible password option is not set to Send NTLMv2 response only\refuse LM.
SV-29016r1_ruleCtrl+Alt+Del security attention sequence is Disabled.
SV-29599r4_ruleThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems.
SV-28472r1_ruleThe Smart Card removal option is set to take no action.
SV-29027r1_ruleThe Windows SMB server is not enabled to perform SMB packet signing when possible.
SV-29515r1_ruleOutgoing secure channel traffic is not encrypted when possible.
SV-29518r1_ruleOutgoing secure channel traffic is not signed when possible.
SV-29030r1_ruleThe computer account password is prevented from being reset.
SV-29033r1_ruleThe Windows SMB client is not enabled to perform SMB packet signing when possible.
SV-29522r2_ruleMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-29217r1_ruleEjection of removable NTFS media is not restricted to Administrators.
SV-29220r1_ruleUsers are not warned in advance that their passwords will expire.
SV-29223r1_ruleThe default permissions of Global system objects are not increased.
SV-29226r2_ruleThe amount of idle time required before suspending a session must be properly set.
SV-29689r1_ruleReversible password encryption is not disabled.
SV-29526r1_ruleThe system is configured to autoplay removable media.
SV-29692r1_ruleSystem files are not checked for unauthorized changes.
SV-29696r1_ruleUnencrypted remote access is permitted to system services.
SV-29213r2_ruleFile share permissions must be configured to remove the Everyone group.
SV-29699r1_ruleA Server does not have a host-based Intrusion Detection System.
SV-29702r2_ruleAnonymous SID/Name translation must not be allowed.
SV-16933r1_ruleUnauthorized named pipes are accessible with anonymous credentials.
SV-28589r1_ruleUnauthorized registry paths are remotely accessible.
SV-29704r1_ruleUnauthorized shares can be accessed anonymously.
SV-29230r1_ruleSolicited Remote Assistance is allowed.
SV-29234r1_ruleThe use of local accounts with blank passwords is not restricted to console logons only.
SV-29239r1_ruleThe user is allowed to launch Windows Messenger (MSN Messenger, .NET Messenger).
SV-29244r1_ruleWindows Messenger (MSN Messenger, .NET messenger) is run at system startup.
SV-29708r1_ruleThe system can be removed from the docking station without logging on first.
SV-29247r1_ruleThe maximum age for machine account passwords is not set to requirements.
SV-29251r1_ruleThe system is not configured to require a strong session key.
SV-29259r1_ruleThe system is configured to permit storage of credentials or .NET Passports.
SV-29264r1_ruleThe system is configured to give anonymous users Everyone rights.
SV-29267r1_ruleThe system is not configured to use the Classic security model.
SV-29270r1_ruleThe system is configured to store the LAN Manager hash of the password in the SAM.
SV-29273r1_ruleThe system is not configured to recommended LDAP client signing requirements.
SV-29530r1_ruleThe system is not configured to meet the minimum requirement for session security for NTLM SSP based Clients.
SV-29533r1_ruleThe system is not configured to use FIPS compliant Algorithms for Encryption, Hashing, and Signing.
SV-29536r2_ruleThe system must be configured to require case insensitivity for non-Windows subsystems.
SV-16938r1_ruleTerminal Services is not configured to limit users to one remote session (Terminal Server Role)
SV-16953r2_ruleTerminal Services is not configured with the client connection encryption set to the required level.
SV-29101r1_ruleTerminal Services is configured to use a common temporary folder for all sessions (Terminal Server Role).
SV-29103r1_ruleTerminal Services is not configured to delete temporary folders (Terminal Server Role).
SV-29606r2_ruleThe system is configured to prevent background refresh of Group Policy.
SV-29283r1_ruleThe system is configured to allow unsolicited remote assistance offers.
SV-29539r2_ruleThe time service must synchronize with an appropriate DoD time source.
SV-29718r1_ruleThe system is not configured to use Safe DLL Search Mode.
SV-40097r2_ruleMedia Player must be configured to prevent automatic checking for updates.
SV-29721r1_ruleMedia Player is configured to allow automatic CODEC downloads.
SV-16965r1_ruleUnnecessary services are not disabled.
SV-29723r2_ruleThere is no local policy for reviewing audit logs.
SV-29357r1_ruleThe system is not configured to meet the minimum requirement for session security for NTLM SSP based Servers.
SV-29727r1_ruleSecurity-related Software Patches are not applied.
SV-29730r2_ruleThe system must generate an audit event when the audit log reaches a percentage of full threshold.
SV-29361r1_ruleThe system is configured to allow IP source routing.
SV-29364r1_ruleThe system is configured to redirect ICMP.
SV-29367r1_ruleThe system is configured to detect and configure default gateway addresses.
SV-29610r1_ruleThe system is configured for a greater keep-alive time than recommended.
SV-29370r2_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-29373r2_ruleThe system must limit how many times unacknowledged TCP data is retransmitted.
SV-29376r1_ruleThis check verifies that Windows is configured to have password protection take effect within a limited time frame when the screen saver becomes active.
SV-29732r1_ruleUnauthorized registry paths and sub-paths are remotely accessible.
SV-29733r3_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-29734r1_ruleOptional Subsystems are permitted to operate on the system.
SV-29735r1_ruleSoftware certificate restriction policies are not enforced.
SV-16952r1_ruleThe Terminal Server does not require secure RPC communication (Terminal Server Role).
SV-29379r2_ruleGroup Policy objects are not reprocessed if they have not changed.
SV-29382r1_ruleOutgoing secure channel traffic is not encrypted or signed.
SV-29385r1_ruleThe Windows Server SMB client is not enabled to always perform SMB packet signing.
SV-29392r1_ruleThe Windows Server SMB server is not enabled to always perform SMB packet signing.
SV-29545r1_ruleNamed Pipes and Shares can be accessed anonymously.
SV-29389r2_ruleFor systems utilizing a logon ID as the individual identifier, passwords must be a minimum of 14 characters in length.
SV-29396r2_ruleWindows 2008 passwords must be configured to expire.
SV-16967r3_ruleAuditing records must be configured as required.
SV-29549r2_ruleWindows 2008 accounts must be configured to require passwords.
SV-29400r1_ruleThe system is configured to allow the display of the last user name on the logon screen.
SV-29750r2_ruleThe Windows 2008 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
SV-29752r2_ruleAudit data must be retained for at least one year.
SV-29402r2_ruleAuditing Access of Global System Objects must be turned off.
SV-29404r1_ruleAudit of Backup and Restore Privileges is not turned off.
SV-29550r1_ruleAudit policy using subcategories is enabled.
SV-16835r1_ruleIPSec Exemptions are limited.
SV-29551r1_ruleUser Account Control - Built In Admin Approval Mode
SV-14846r2_ruleUser Account Control must, at minimum, prompt administrators for consent.
SV-28479r1_ruleUser Account Control - Behavior of elevation prompt for standard users.
SV-29552r1_ruleUser Account Control - Detect Application Installations
SV-29553r1_ruleUser Account Control - Elevate UIAccess applications that are in secure locations
SV-29099r1_ruleUser Account Control - Run all admins in Admin Approval Mode
SV-29554r1_ruleUser Account Control - Switch to secure desktop
SV-29555r1_ruleUser Account Control - Non UAC Compliant Application Virtualization
SV-29556r2_ruleAdministrator accounts must not be enumerated during elevation.
SV-29406r1_ruleTerminal Services / Remote Desktop Service - Prevent password saving in the Remote Desktop Client
SV-29198r1_ruleTerminal Services / Remote Desktop Services - Local drives prevented from sharing with Terminal Servers (Terminal Server Role).
SV-29409r2_ruleUnauthenticated RPC clients must be restricted from connecting to the RPC server.
SV-29413r1_ruleFile and Folder Publish to Web option unavailable.
SV-29416r1_ruleWeb Publishing and online ordering wizards prevented from downloading list of providers.
SV-29418r1_ruleWindows Messenger prevented from collecting anonymous information.
SV-29420r1_ruleSearch Companion prevented from automatically downloading content updates.
SV-29422r1_rulePrevent printing over HTTP.
SV-29424r1_ruleComputer prevented from downloading print driver packages over HTTP.
SV-29426r1_ruleWindows is prevented from using Windows Update to search for drivers.
SV-29754r1_rulePreserve Zone information when saving attachments.
SV-29756r1_ruleHide mechanism for removing Zone information from file attachments.
SV-29758r1_ruleNotify antivirus when file attachments are opened.
SV-29337r2_ruleApplication account passwords must meet DoD requirements for length, complexity and changes.
SV-29560r3_ruleThe HBSS McAfee Agent must be installed.
SV-29428r1_ruleWindows Peer to Peer Networking
SV-29430r1_ruleProhibit Network Bridge in Windows
SV-21932r2_ruleEvent Viewer Events.asp links must be turned off.
SV-29437r1_ruleInternet Connection Wizard ISP Downloads
SV-29439r1_ruleDisable Internet File Association Service
SV-29441r1_ruleWindows Registration Wizard
SV-29614r1_ruleOrder Prints Online
SV-29443r1_ruleWindows Movie Maker Codec Downloads
SV-29445r1_ruleWindows Movie Maker Web Links
SV-29447r1_ruleWindows Movie Maker Online Hosting
SV-29449r2_ruleThe classic logon screen must be required for user logons.
SV-29451r2_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-29453r1_ruleWindows Explorer – Shell Protocol Protected Mode
SV-29455r1_ruleWindows Installer – IE Security Prompt
SV-29457r1_ruleWindows Installer – User Control
SV-29459r1_ruleWindows Installer – Vendor Signed Updates
SV-29461r1_ruleMedia Player – First Use Dialog Boxes
SV-29561r1_ruleNetwork – Mapper I/O Driver
SV-29562r1_ruleNetwork – Responder Driver
SV-29759r1_ruleNetwork – Windows Connect Now Wireless Configuration
SV-29563r1_ruleNetwork – Windows Connect Now Wizards
SV-29564r1_ruleDriver Install – Device Driver Search Prompt
SV-28517r1_rulePower Mgmt – Password Wake on Battery (Only applicable to 2008 if installed on a laptop.)
SV-28519r1_rulePower Mgmt – Password Wake When Plugged In (Only applicable to 2008 if installed on a laptop.)
SV-29565r1_ruleRemote Assistance – Session Logging
SV-29566r1_ruleOnline Assistance – Untrusted Content
SV-29567r1_ruleSearch – Encrypted Files Indexing
SV-29572r1_ruleDefender – SpyNet Reporting
SV-29576r2_ruleWindows Explorer – Heap Termination
SV-29578r1_ruleWindows Mail – Communities
SV-29579r1_ruleWindows Mail – Disable Application
SV-29580r1_ruleMedia DRM – Internet Access
SV-29760r1_ruleUser Network Sharing
SV-29465r2_ruleSoftware certificate installation files must be removed from Windows 2008.
SV-16934r1_ruleUAC - Allow UIAccess applications to prompt for elevation without using the secure desktop
SV-16941r1_ruleTerminal Services – Prevent COM Port Redirection (Terminal Server Role).
SV-16942r1_ruleTerminal Services – Prevent LPT Port Redirection (Terminal Server Role).
SV-16943r1_ruleTerminal Services – Prevent Plug and Play Device Redirection (Terminal Server Role).
SV-16944r1_ruleTerminal Services – Smart Card Device Redirection Enabled (Terminal Server Role).
SV-16945r1_ruleTerminal Services – Default Only Client Printer Redirection (Terminal Server Role).
SV-16960r1_ruleUAC - Application Elevations
SV-29581r1_ruleWindows Customer Experience Improvement Program is disabled.
SV-29761r1_ruleHelp Experience Improvement Program is disabled.
SV-29762r1_ruleDisable Help Ratings feed back.
SV-29585r1_ruleDisallow AutoPlay/Autorun from Autorun.inf
SV-29589r1_ruleUnapproved Users have access to Debug programs.
SV-33308r3_ruleStandard user accounts must only have Read permissions to the Winlogon registry key.
SV-34591r2_ruleThe Windows dialog box title for the legal banner must be configured.
SV-47113r1_ruleThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
SV-47123r1_ruleThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
SV-47106r1_ruleThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
SV-47142r3_ruleThe Deny log on through Terminal Services user right on member servers must be configured to prevent access from highly privileged domain accounts and local administrator accounts on domain systems and unauthenticated access on all systems.
SV-83307r1_ruleThe Fax service must be disabled if installed.
SV-83309r2_ruleThe Microsoft FTP service must not be installed unless required.
SV-83311r1_ruleThe Peer Networking Identity Manager service must be disabled if installed.
SV-83313r1_ruleThe Simple TCP/IP Services service must be disabled if installed.
SV-83315r1_ruleThe Telnet service must be disabled if installed.
SV-42594r6_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-42605r8_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-42617r2_ruleStandard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
SV-46218r1_ruleThe Windows Installer Always install with elevated privileges must be disabled.
SV-47846r2_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-47864r2_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-52394r5_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-58477r2_ruleA group must be defined on domain systems to include all local administrator accounts.
SV-88183r1_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-88195r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-90599r1_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2008.