STIGQter STIGQter: STIG Summary: Windows Server 2008 R2 Member Server Security Technical Implementation Guide

Version: 1

Release: 30 Benchmark Date: 26 Jul 2019

CheckedNameTitle
SV-32240r1_ruleThe Automated Information System (AIS) will be physically secured in an access controlled area.
SV-32241r2_ruleShared user accounts must not be permitted on the system.
SV-32242r4_ruleSystems must be at supported service pack (SP) or release levels.
SV-32244r4_ruleThe Windows 2008 R2 system must use an anti-virus program.
SV-32280r1_ruleThe shutdown option will not be available from the logon dialog box.
SV-32245r1_ruleSystem information backups will be created, updated, and protected.
SV-32246r2_rulePermissions for event logs must conform to minimum requirements.
SV-32248r1_ruleLocal volumes will be formatted using NTFS.
SV-32281r5_ruleThe required legal notice must be configured to display before console logon.
SV-32282r3_ruleCaching of logon credentials must be limited.
SV-32283r1_ruleAnonymous enumeration of shares will be restricted.
SV-32284r2_ruleThe system must lockout accounts after 3 invalid logon attempts within a specified time period.
SV-32285r3_ruleThe reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2008 R2.
SV-32286r3_ruleWindows 2008 R2 account lockout duration must be configured to 15 minutes or greater.
SV-32287r2_ruleUnauthorized accounts must not have the Act as part of the operating system user right.
SV-32288r2_ruleThe maximum password age must be configured to 60 days or less.
SV-32289r2_ruleThe minimum password age must be configured to at least 1 day.
SV-32290r3_ruleThe password history must be configured to 24 passwords remembered.
SV-32250r4_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-32291r2_ruleThe built-in guest account must be disabled.
SV-32292r1_ruleThe built-in guest account will be renamed.
SV-32293r1_ruleThe built-in administrator account will be renamed.
SV-32253r1_ruleBooting into alternate non STIG compliant operating systems will not be permitted.
SV-32251r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
SV-32252r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
SV-32294r1_ruleThe system will be configured with a password-protected screen saver.
SV-32254r5_ruleOnly administrators responsible for the system must have Administrator rights on the system.
SV-32255r1_ruleSecurity configuration tools or equivalent processes will be used to configure platforms for security compliance.
SV-32511r1_ruleACLs for system files and directories will conform to minimum requirements.
SV-32257r1_ruleNon-administrative user accounts or groups will only have print permissions of Printer Shares.
SV-32295r1_ruleUsers will be forcibly disconnected when their logon hours expire.
SV-32259r2_ruleUsers with Administrative privilege will be documented and have separate accounts for administrative duties and normal operational tasks.
SV-32296r2_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-32297r2_ruleAutomatic logons must be disabled.
SV-32298r2_ruleThe built-in Windows password complexity policy must be enabled.
SV-32299r1_ruleThe print driver installation privilege will be restricted to administrators.
SV-32260r3_ruleAnonymous access to the registry must be restricted.
SV-32300r1_ruleThe LanMan authentication level will be set to Send NTLMv2 response only\refuse LM & NTLM.
SV-32301r1_ruleThe Ctrl+Alt+Del security attention sequence for logons will be enabled.
SV-32302r7_ruleThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
SV-32303r1_ruleThe Smart Card removal option will be configured to Force Logoff or Lock Workstation.
SV-32513r1_ruleThe Windows SMB server will perform SMB packet signing when possible.
SV-32306r1_ruleOutgoing secure channel traffic will be encrypted when possible.
SV-32307r1_ruleOutgoing secure channel traffic will be signed when possible.
SV-32308r1_ruleThe computer account password will not be prevented from being reset.
SV-32309r1_ruleThe Windows SMB client will be enabled to perform SMB packet signing when possible.
SV-32261r1_ruleMembers of the Backup Operators group will have separate accounts for backup duties and normal operational tasks.
SV-32310r1_ruleEjection of removable NTFS media is not restricted to Administrators.
SV-32311r1_ruleUsers will be warned in advance that their passwords will expire.
SV-32312r1_ruleThe default permissions of Global system objects will be increased.
SV-32313r2_ruleThe amount of idle time required before suspending a session must be properly set.
SV-32314r1_ruleReversible password encryption will be disabled.
SV-32315r1_ruleAutoplay will be disabled for all drives.
SV-32262r1_ruleSystem files will be monitored for unauthorized changes.
SV-32263r1_ruleUnencrypted remote access will not be permitted to system services.
SV-32264r1_ruleFile share ACLs will be reconfigured to remove the Everyone group.
SV-32265r1_ruleServers will have a host-based Intrusion Detection System.
SV-32316r2_ruleAnonymous SID/Name translation must not be allowed.
SV-32481r2_ruleNamed pipes that can be accessed anonymously will be configured to contain no values.
SV-32484r2_ruleUnauthorized remotely accessible registry paths must not be configured.
SV-32317r1_ruleNetwork shares that can be accessed anonymously will not be allowed.
SV-32318r1_ruleSolicited Remote Assistance will not be allowed.
SV-32319r1_ruleThe use of local accounts with blank passwords will be restricted to console logons only.
SV-32320r1_ruleA system must be logged on to before removing from a docking station.
SV-32321r1_ruleThe maximum age for machine account passwords will be set to requirements.
SV-32322r1_ruleThe system will be configured to require a strong session key.
SV-32336r1_ruleThe system will be configured to prevent the storage of passwords and credentials
SV-32337r1_ruleThe system will be configured to prevent anonymous users from having the same rights as the Everyone group.
SV-32338r1_ruleThe system will be configured to use the Classic security model.
SV-32339r1_ruleThe system will be configured to prevent the storage of the LAN Manager hash of passwords.
SV-32468r1_ruleThe system will be configured to force users to log off when their allowed logon hours expire.
SV-32340r1_ruleThe system will be configured to the required LDAP client signing level.
SV-32341r1_ruleThe system will be configured to meet the minimum session security requirement for NTLM SSP based clients.
SV-32342r1_ruleThe system will be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-32343r2_ruleThe system must be configured to require case insensitivity for non-Windows subsystems.
SV-32498r1_ruleRemote Desktop Services will limit users to one remote session.
SV-32490r1_ruleRemote Desktop Services will always prompt a client for passwords upon connection.
SV-32491r2_ruleRemote Desktop Services will be configured with the client connection encryption set to the required level.
SV-32492r1_ruleRemote Desktop Services will be configured to use session-specific temporary folders.
SV-32493r1_ruleRemote Desktop Services will delete temporary folders when a session is terminated.
SV-32344r2_ruleThe system will be configured to enable the background refresh of Group Policy.
SV-32345r1_ruleThe system will be configured to prevent unsolicited remote assistance offers.
SV-32489r2_ruleThe time service must synchronize with an appropriate DoD time source.
SV-32348r1_ruleThe system will be configured to use Safe DLL Search Mode.
SV-40099r2_ruleMedia Player must be configured to prevent automatic checking for updates.
SV-32351r1_ruleMedia Player will be configured to prevent automatic Codec downloads.
SV-32266r2_ruleServices will be documented and unnecessary services will not be installed or will be disabled.
SV-32267r2_ruleAudit logs will be reviewed on a daily basis.
SV-32352r1_ruleThe system will be configured to meet the minimum session security requirement for NTLM SSP based servers.
SV-32268r1_ruleSecurity-related Software Patches will be applied.
SV-32353r2_ruleThe system must generate an audit event when the audit log reaches a percentage of full threshold.
SV-32354r1_ruleThe system will be configured to prevent IP source routing.
SV-32355r1_ruleThe system will be configured to prevent ICMP redirects from overriding OSPF generated routes.
SV-32356r1_ruleThe system will be configured to disable the Internet Router Discover Protocol (IRDP).
SV-32357r1_ruleThe system will be configured to limit how often keep-alive packets are sent.
SV-32358r2_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-32359r2_ruleThe system must limit how many times unacknowledged TCP data is retransmitted.
SV-32360r1_ruleThe system will be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
SV-32485r2_ruleUnauthorized remotely accessible registry paths and sub-paths must not be configured.
SV-32361r2_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-32362r1_ruleOptional Subsystems will not be permitted to operate on the system.
SV-32499r1_ruleThe Remote Desktop Session Host will require secure RPC communications.
SV-32364r1_ruleGroup Policy objects will be reprocessed even if they have not changed.
SV-32365r1_ruleOutgoing secure channel traffic will be encrypted or signed.
SV-32366r1_ruleThe Windows SMB client will be enabled to always perform SMB packet signing.
SV-32367r1_ruleThe Windows SMB server will be enabled to always perform SMB packet signing.
SV-32368r1_ruleAnonymous access to Named Pipes and Shares will be restricted.
SV-32369r1_ruleFor systems utilizing a logon ID as the individual identifier, passwords will, at a minimum, be 14 characters.
SV-32269r2_ruleWindows 2008 R2 passwords must be configured to expire.
SV-32270r2_ruleWindows 2008 R2 accounts must be configured to require passwords.
SV-32371r1_ruleThe system will be configured to prevent the display of the last user name on the logon screen.
SV-32274r2_ruleThe Windows 2008 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
SV-32275r2_ruleAudit data must be retained for at least one year.
SV-32372r2_ruleAuditing Access of Global System Objects must be turned off.
SV-32373r1_ruleAudit of Backup and Restore Privileges will be turned off.
SV-32374r1_ruleAudit policy using subcategories will be enabled.
SV-32375r1_ruleIPSec Exemptions will be limited.
SV-32376r1_ruleUser Account Control approval mode for the built-in Administrator will be enabled.
SV-32377r1_ruleUser Account Control will, at a minimum, prompt administrators for consent.
SV-32382r1_ruleUser Account Control will automatically deny standard user requests for elevation.
SV-32383r1_ruleUser Account Control will be configured to detect application installations and prompt for elevation.
SV-32384r1_ruleUser Account Control will only elevate UIAccess applications that are installed in secure locations
SV-32387r1_ruleUser Account Control will run all administrators in Admin Approval Mode, enabling UAC.
SV-32391r1_ruleUser Account Control will switch to the secure desktop when prompting for elevation.
SV-32392r1_ruleUser Account Control will virtualize file and registry write failures to per-user locations.
SV-32394r2_ruleAdministrator accounts must not be enumerated during elevation.
SV-32496r1_rulePasswords will not be saved in the Remote Desktop Client.
SV-32497r2_ruleLocal drives will be prevented from sharing with Remote Desktop Session Hosts (Remote Desktop Services Role).
SV-32396r2_ruleUnauthenticated RPC clients must be restricted from connecting to the RPC server.
SV-32398r1_ruleWeb publishing and online ordering wizards will be prevented from downloading a list of providers.
SV-32401r1_rulePrinting over HTTP will be prevented.
SV-32402r1_ruleDownloading print driver packages over HTTP will be prevented.
SV-32403r1_ruleWindows will be prevented from using Windows Update to search for drivers.
SV-32404r1_ruleZone information will be preserved when saving attachments.
SV-32405r1_ruleMechanisms for removing zone information from file attachments will be hidden.
SV-32406r1_ruleThe system will notify antivirus when file attachments are opened.
SV-32271r2_ruleApplication account passwords must meet DoD requirements for length, complexity and changes.
SV-32272r3_ruleThe HBSS McAfee Agent must be installed.
SV-32407r1_ruleWindows Peer-to-Peer networking services will be turned off.
SV-32408r1_ruleNetwork Bridges will be prohibited in Windows.
SV-32410r1_ruleEvent Viewer Events.asp links will be turned off.
SV-32412r1_ruleThe Internet File Association service will be turned off.
SV-32414r1_ruleThe Order Prints Online wizard will be turned off.
SV-32415r2_ruleThe classic logon screen must be required for user logons.
SV-32416r2_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-32417r1_ruleWindows Explorer shell protocol will run in protected mode.
SV-32418r1_ruleUsers will be notified if a web-based program attempts to install software.
SV-32419r1_ruleUsers will be prevented from changing installation options.
SV-32420r1_ruleNon-administrators will be prevented from applying vendor signed updates.
SV-32421r1_ruleUsers will not be presented with Privacy and Installation options on first use of Windows Media Player.
SV-32422r1_ruleThe Mapper I/O network protocol driver will be disabled.
SV-32423r1_ruleThe Responder network protocol driver will be disabled.
SV-32424r1_ruleThe configuration of wireless devices using Windows Connect Now will be disabled.
SV-32425r1_ruleThe Windows Connect Now wizards will be disabled.
SV-32470r1_ruleRemote access to the Plug and Play interface will be disabled for device installation.
SV-32471r1_ruleA system restore point will be created when a new device driver is installed.
SV-32472r1_ruleAn Error Report will not be sent when a generic device driver is installed.
SV-32426r1_ruleUsers will not be prompted to search Windows Update for device drivers.
SV-32474r1_ruleErrors in handwriting recognition on Tablet PCs will not be reported to Microsoft.
SV-32427r1_ruleUsers will be prompted for a password on resume from sleep (on battery). (Applicable to Server 2008 R2 if the system is configured to sleep.)
SV-32428r1_ruleThe user will be prompted for a password on resume from sleep (Plugged In). (Applicable on Server 2008 R2 if the system is configured to sleep.)
SV-32429r1_ruleRemote Assistance log files will be generated.
SV-32475r1_ruleGame explorer information will not be downloaded from Windows Metadata Services.
SV-32430r1_ruleWindows Defender SpyNet membership will be disabled.
SV-32434r1_ruleWindows Explorer heap termination on corruption will be disabled.
SV-32436r1_ruleWindows Media Digital Rights Management will be prevented from accessing the Internet.
SV-32437r1_ruleUsers will be prevented from sharing files in their profiles.
SV-32276r2_ruleSoftware certificate installation files must be removed from Windows 2008 R2.
SV-32438r1_ruleUIAccess applications will not be allowed to prompt for elevation without using the secure desktop.
SV-32501r1_ruleThe system will be configured to prevent users from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role)
SV-32502r1_ruleThe system will be configured to prevent users from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role)
SV-32506r1_ruleThe system will be configured to prevent users from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role)
SV-32507r1_ruleThe system will be configured to ensure smart card devices can be redirected to the Remote Desktop Session. (Remote Desktop Services Role)
SV-32508r2_ruleThe system will be configured to allow only the default client printer to be redirected in the Remote Desktop session. (Remote Desktop Services Role)
SV-32439r1_ruleWindows will elevate all applications in User Account Control, not just signed ones.
SV-32440r1_ruleThe Windows Customer Experience Improvement Program will be disabled.
SV-32442r1_ruleThe Windows Help Experience Improvement Program will be disabled
SV-32443r1_ruleWindows Help Ratings feedback will be turned off.
SV-32444r3_ruleUnauthorized accounts must not have the Debug programs user right.
SV-32441r1_ruleThe service principal name (SPN) target name validation level will be turned off.
SV-32445r1_ruleServices using Local System that use negotiate when reverting to NTLM authentication will use the computer identity vs. authenticating anonymously.
SV-32446r1_ruleNTLM will be prevented from falling back to a Null session.
SV-32447r1_rulePKU2U authentication using online identities will be prevented.
SV-32706r3_ruleThe use of DES encryption suites must not be allowed for Kerberos encryption.
SV-32449r1_ruleIPv6 source routing will be configured to highest protection.
SV-32450r2_ruleIPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
SV-32451r1_ruleDomain users will be required to elevate when setting a network’s location.
SV-32452r1_ruleAll Direct Access traffic will be routed through the internal network.
SV-32453r1_ruleWindows Update will be prevented from searching for point and print drivers.
SV-32454r2_ruleDevice metadata retrieval from the Internet must be prevented.
SV-32455r1_ruleDevice driver searches using Windows Update will be prevented.
SV-32456r1_ruleMicrosoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft will be prevented.
SV-32457r1_ruleAccess to Windows Online Troubleshooting Service (WOTS) will be prevented.
SV-32458r1_ruleResponsiveness events will be prevented from being aggregated and sent to Microsoft.
SV-32459r1_ruleThe Application Compatibility Program Inventory will be prevented from collecting data and sending the information to Microsoft.
SV-32460r1_ruleAutoplay will be turned off for non-volume devices.
SV-32461r1_ruleDownloading of game update information will be turned off.
SV-32462r1_ruleThe system will be prevented from joining a homegroup.
SV-32707r2_ruleWindows Anytime Upgrade will be disabled.
SV-32465r1_ruleExplorer Data Execution Prevention will be enabled.
SV-32467r1_ruleThe default autorun behavior will be configured to prevent autorun commands.
SV-33310r3_ruleStandard user accounts must only have Read permissions to the Winlogon registry key.
SV-33732r1_ruleAnonymous enumeration of SAM accounts will not be allowed.
SV-33733r2_ruleThe Windows dialog box title for the legal banner will be configured.
SV-33374r2_ruleUnauthorized accounts must not have the Access Credential Manager as a trusted caller user right.
SV-33376r4_ruleThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
SV-33380r2_ruleUnauthorized accounts must not have the Allow log on locally user right.
SV-83317r1_ruleThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group and other approved groups.
SV-33382r2_ruleUnauthorized accounts must not have the Back up files and directories user right.
SV-33384r2_ruleUnauthorized accounts must not have the Change the system time user right.
SV-33386r2_ruleUnauthorized accounts must not have the Create a pagefile user right.
SV-33392r2_ruleUnauthorized accounts must not have the Create a token object user right.
SV-33394r2_ruleUnauthorized accounts must not have the Create global objects user right.
SV-33396r2_ruleUnauthorized accounts must not have the Create permanent shared objects user right.
SV-33400r2_ruleUnauthorized accounts must not have the Create symbolic links user right.
SV-33403r2_ruleThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
SV-33405r2_ruleThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
SV-33408r4_ruleThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
SV-33411r6_ruleThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and unauthenticated access on all systems.
SV-33414r2_ruleUnauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right.
SV-33421r2_ruleUnauthorized accounts must not have the Force shutdown from a remote system user right.
SV-33423r2_ruleUnauthorized accounts must not have the Generate security audits user right.
SV-33425r2_ruleUnauthorized accounts must not have the Impersonate a client after authentication user right.
SV-33427r2_ruleUnauthorized accounts must not have the Increase scheduling priority user right.
SV-33429r2_ruleUnauthorized accounts must not have the Load and unload device drivers user right.
SV-33431r2_ruleUnauthorized accounts must not have the Lock pages in memory user right.
SV-33484r4_ruleUnauthorized accounts must not have the Manage auditing and security log user right.
SV-33485r2_ruleUnauthorized accounts must not have the Modify an object label user right.
SV-33488r2_ruleUnauthorized accounts must not have the Modify firmware environment values user right.
SV-33489r2_ruleUnauthorized accounts must not have the Perform volume maintenance tasks user right.
SV-33490r2_ruleUnauthorized accounts must not have the Profile single process user right.
SV-33491r2_ruleUnauthorized accounts must not have the Profile system performance user right.
SV-33494r2_ruleUnauthorized accounts must not have the Replace a process level token user right.
SV-33495r2_ruleUnauthorized accounts must not have the Restore files and directories user right.
SV-33498r2_ruleUnauthorized accounts must not have the Take ownership of files or other objects user right.
SV-33616r1_ruleThe system will be configured to audit "Account Logon -> Credential Validation" successes.
SV-33617r1_ruleThe system will be configured to audit "Account Logon -> Credential Validation" failures.
SV-33623r1_ruleThe system will be configured to audit "Account Management -> Other Account Management Events" successes.
SV-33628r1_ruleThe system will be configured to audit "Account Management -> Security Group Management" successes.
SV-33632r1_ruleThe system will be configured to audit "Account Management -> User Account Management" successes.
SV-33633r1_ruleThe system will be configured to audit "Account Management -> User Account Management" failures.
SV-33635r1_ruleThe system will be configured to audit "Detailed Tracking -> Process Creation" successes.
SV-33638r1_ruleThe system will be configured to audit "Logon/Logoff -> Logoff" successes.
SV-33641r1_ruleThe system will be configured to audit "Logon/Logoff -> Logon" successes.
SV-33643r1_ruleThe system will be configured to audit "Logon/Logoff -> Logon" failures.
SV-33644r1_ruleThe system will be configured to audit "Logon/Logoff -> Special Logon" successes.
SV-33648r1_ruleThe system will be configured to audit "Policy Change -> Audit Policy Change" successes.
SV-33650r1_ruleThe system will be configured to audit "Policy Change -> Audit Policy Change" failures.
SV-33653r1_ruleThe system will be configured to audit "Policy Change -> Authentication Policy Change" successes.
SV-33654r1_ruleThe system will be configured to audit "Privilege Use -> Sensitive Privilege Use" successes.
SV-33656r1_ruleThe system will be configured to audit "Privilege Use -> Sensitive Privilege Use" failures.
SV-33658r1_ruleThe system will be configured to audit "System -> IPSec Driver" successes.
SV-33659r1_ruleThe system will be configured to audit "System -> IPSec Driver" failures.
SV-33660r1_ruleThe system will be configured to audit "System -> Security State Change" successes.
SV-33663r1_ruleThe system will be configured to audit "System -> Security System Extension" successes.
SV-33666r1_ruleThe system will be configured to audit "System -> System Integrity" successes.
SV-33667r1_ruleThe system will be configured to audit "System -> System Integrity" failures.
SV-33685r1_ruleThe 6to4 IPv6 transition technology will be disabled.
SV-33686r1_ruleThe IP-HTTPS IPv6 transition technology will be disabled.
SV-33689r1_ruleThe ISATAP IPv6 transition technology will be disabled.
SV-33691r1_ruleThe Teredo IPv6 transition technology will be disabled.
SV-33693r2_ruleThe Application event log must be configured to a minimum size requirement.
SV-33695r2_ruleThe Security event log must be configured to a minimum size requirement.
SV-33698r2_ruleThe Setup event log must be configured to a minimum size requirement.
SV-33700r2_ruleThe System event log must be configured to a minimum size requirement.
SV-33723r1_ruleThe Fax service will be disabled.
SV-33725r2_ruleThe Microsoft FTP service must not be installed unless required.
SV-33729r1_ruleThe Peer Networking Identity Manager service will be disabled.
SV-33731r1_ruleThe Simple TCP/IP Services service will be disabled.
SV-33721r1_ruleThe Telnet service will be disabled.
SV-36284r1_ruleWindows will be prevented from sending an error report when a device driver requests additional software during installation.
SV-42596r6_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-42607r8_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-42619r2_ruleStandard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
SV-46220r1_ruleThe Windows Installer Always install with elevated privileges must be disabled.
SV-47848r3_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-47866r2_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-52397r5_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-92761r1_ruleWindows Server 2008 R2 must be configured to audit Policy Change - Authorization Policy Change successes.
SV-75123r4_ruleThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-87389r1_ruleWDigest Authentication must be disabled.
SV-88191r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-88199r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-90601r1_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2008 R2.
SV-92753r2_ruleWindows Server 2008 R2 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-92755r2_ruleWindows Server 2008 R2 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-92757r2_ruleWindows Server 2008 R2 must be configured to audit System - Other System Events successes.
SV-92759r2_ruleWindows Server 2008 R2 must be configured to audit System - Other System Events failures.
SV-95177r1_ruleWindows PowerShell must be updated to a version that supports script block logging on Windows 2008 R2.
SV-95181r1_rulePowerShell script block logging must be enabled on Windows 2008 R2.