STIGQter STIGQter: STIG Summary: Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide

Version: 2

Release: 19 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-52838r1_ruleServer systems must be located in a controlled access area, accessible only to authorized personnel.
SV-52839r2_ruleShared user accounts must not be permitted on the system.
SV-53189r2_ruleSystems must be maintained at a supported service pack level.
SV-52103r4_ruleThe Windows 2012 / 2012 R2 system must use an anti-virus program.
SV-52840r1_ruleThe shutdown option must not be available from the logon dialog box.
SV-52841r2_ruleSystem-level information must be backed up in accordance with local recovery time and recovery point objectives.
SV-52843r3_ruleLocal volumes must use a format that supports NTFS attributes.
SV-52845r3_ruleThe required legal notice must be configured to display before console logon.
SV-52846r2_ruleCaching of logon credentials must be limited.
SV-52847r1_ruleAnonymous enumeration of shares must be restricted.
SV-52848r1_ruleThe number of allowed bad logon attempts must meet minimum requirements.
SV-52849r2_ruleThe reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.
SV-52850r2_ruleWindows 2012 account lockout duration must be configured to 15 minutes or greater.
SV-52108r3_ruleThe Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-52851r1_ruleThe maximum password age must meet requirements.
SV-52852r1_ruleThe minimum password age must meet requirements.
SV-52853r2_ruleThe password history must be configured to 24 passwords remembered.
SV-52854r4_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-52855r1_ruleThe built-in guest account must be disabled.
SV-52856r1_ruleThe built-in guest account must be renamed.
SV-52857r1_ruleThe built-in administrator account must be renamed.
SV-52858r1_ruleThe system must not boot into multiple operating systems (dual-boot).
SV-52106r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
SV-52212r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
SV-51157r1_ruleOnly administrators responsible for the domain controller must have Administrator rights on the system.
SV-52859r2_ruleSecurity configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
SV-52213r2_ruleNonadministrative user accounts or groups must only have print permissions on printer shares.
SV-52860r1_ruleUsers must be forcibly disconnected when their logon hours expire.
SV-52861r2_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-52107r2_ruleAutomatic logons must be disabled.
SV-52863r2_ruleThe built-in Windows password complexity policy must be enabled.
SV-52214r2_ruleThe print driver installation privilege must be restricted to administrators.
SV-52864r3_ruleAnonymous access to the registry must be restricted.
SV-52865r1_ruleThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
SV-52866r1_ruleThe Ctrl+Alt+Del security attention sequence for logons must be enabled.
SV-51144r1_ruleThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
SV-52867r2_ruleThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-52870r2_ruleThe Windows SMB server must perform SMB packet signing when possible.
SV-52871r3_ruleOutgoing secure channel traffic must be encrypted when possible.
SV-52872r3_ruleOutgoing secure channel traffic must be signed when possible.
SV-52873r1_ruleThe computer account password must not be prevented from being reset.
SV-52874r2_ruleThe Windows SMB client must be enabled to perform SMB packet signing when possible.
SV-52156r2_ruleMembers of the Backup Operators group must be documented.
SV-52875r1_ruleEjection of removable NTFS media must be restricted to Administrators.
SV-52876r1_ruleUsers must be warned in advance of their passwords expiring.
SV-52877r1_ruleThe default permissions of global system objects must be increased.
SV-52878r3_ruleThe amount of idle time required before suspending a session must be properly set.
SV-52880r1_ruleReversible password encryption must be disabled.
SV-52879r2_ruleAutoplay must be disabled for all drives.
SV-51160r2_ruleKerberos user logon restrictions must be enforced.
SV-51162r2_ruleThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
SV-51164r2_ruleThe Kerberos user ticket lifetime must be limited to 10 hours or less.
SV-51166r2_ruleThe Kerberos policy user ticket renewal maximum lifetime must be limited to 7 days or less.
SV-51168r3_ruleThe computer clock synchronization tolerance must be limited to 5 minutes or less.
SV-52215r2_ruleSystem files must be monitored for unauthorized changes.
SV-52881r3_ruleNon system-created file shares on a system must limit access to groups that require it.
SV-52105r3_ruleServers must have a host-based Intrusion Detection System.
SV-52882r1_ruleAnonymous SID/Name translation must not be allowed.
SV-51138r2_ruleNamed pipes that can be accessed anonymously must be configured with limited values on domain controllers.
SV-52883r2_ruleUnauthorized remotely accessible registry paths must not be configured.
SV-52884r1_ruleNetwork shares that can be accessed anonymously must not be allowed.
SV-52885r1_ruleSolicited Remote Assistance must not be allowed.
SV-52886r1_ruleLocal accounts with blank passwords must be restricted to prevent access from the network.
SV-52887r1_ruleThe maximum age for machine account passwords must be set to requirements.
SV-52888r2_ruleThe system must be configured to require a strong session key.
SV-52890r1_ruleThe system must be configured to prevent anonymous users from having the same rights as the Everyone group.
SV-52891r1_ruleThe system must be configured to use the Classic security model.
SV-52892r2_ruleThe system must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-52893r1_ruleThe system must be configured to force users to log off when their allowed logon hours expire.
SV-52894r1_ruleThe system must be configured to the required LDAP client signing level.
SV-52895r1_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
SV-52896r2_ruleThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-52897r1_ruleThe system must be configured to require case insensitivity for non-Windows subsystems.
SV-52216r2_ruleRemote Desktop Services must limit users to one remote session.
SV-52898r1_ruleRemote Desktop Services must always prompt a client for passwords upon connection.
SV-52899r2_ruleRemote Desktop Services must be configured with the client connection encryption set to the required level.
SV-52900r1_ruleRemote Desktop Services must be configured to use session-specific temporary folders.
SV-52901r1_ruleRemote Desktop Services must delete temporary folders when a session is terminated.
SV-52906r1_ruleGroup Policies must be refreshed in the background if the user is logged on.
SV-52917r1_ruleThe system must be configured to prevent unsolicited remote assistance offers.
SV-52919r3_ruleThe time service must synchronize with an appropriate DoD time source.
SV-52920r1_ruleThe system must be configured to use Safe DLL Search Mode.
SV-53130r1_ruleWindows Media Player must be configured to prevent automatic checking for updates.
SV-52921r1_ruleMedia Player must be configured to prevent automatic Codec downloads.
SV-52218r2_ruleNecessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
SV-52922r1_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
SV-52923r2_ruleThe system must generate an audit event when the audit log reaches a percentage of full threshold.
SV-52924r1_ruleThe system must be configured to prevent IP source routing.
SV-52925r1_ruleThe system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
SV-52926r1_ruleThe system must be configured to disable the Internet Router Discovery Protocol (IRDP).
SV-52927r1_ruleThe system must be configured to limit how often keep-alive packets are sent.
SV-52928r2_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-51140r3_ruleDomain controllers must require LDAP access signing.
SV-51141r2_ruleDomain controllers must be configured to allow reset of machine account passwords.
SV-52929r2_ruleThe system must limit how many times unacknowledged TCP data is retransmitted.
SV-52930r1_ruleThe system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
SV-52931r2_ruleUnauthorized remotely accessible registry paths and sub-paths must not be configured.
SV-52219r2_ruleOptional Subsystems must not be permitted to operate on the system.
SV-52932r2_ruleThe Remote Desktop Session Host must require secure RPC communications.
SV-52933r1_ruleGroup Policy objects must be reprocessed even if they have not changed.
SV-52934r2_ruleOutgoing secure channel traffic must be encrypted or signed.
SV-52935r2_ruleThe Windows SMB client must be configured to always perform SMB packet signing.
SV-52936r2_ruleThe Windows SMB server must be configured to always perform SMB packet signing.
SV-52937r1_ruleAnonymous access to Named Pipes and Shares must be restricted.
SV-52938r2_rulePasswords must, at a minimum, be 14 characters.
SV-52939r4_ruleWindows 2012/2012 R2 passwords must be configured to expire.
SV-52940r3_ruleWindows 2012/2012 R2 accounts must be configured to require passwords.
SV-51175r3_ruleActive Directory data files must have proper access control permissions.
SV-51180r2_ruleData files owned by users must be on a different logical partition from the directory server data files.
SV-51181r2_ruleTime synchronization must be enabled on the domain controller.
SV-51182r3_ruleThe time synchronization tool must be configured to enable logging of time source switching.
SV-51183r2_ruleThe directory server supporting (directly or indirectly) system access or resource authorization must run on a machine dedicated to that function.
SV-51184r2_ruleWindows services that are critical for directory server operation must be configured for automatic startup.
SV-52941r1_ruleThe system must be configured to prevent the display of the last username on the logon screen.
SV-52942r3_ruleWindows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
SV-53129r1_ruleAuditing the Access of Global System Objects must be turned off.
SV-52943r1_ruleAuditing of Backup and Restore Privileges must be turned off.
SV-52944r1_ruleAudit policy using subcategories must be enabled.
SV-52945r1_ruleIPSec Exemptions must be limited.
SV-52946r1_ruleUser Account Control approval mode for the built-in Administrator must be enabled.
SV-52947r1_ruleUser Account Control must, at minimum, prompt administrators for consent.
SV-52948r1_ruleUser Account Control must automatically deny standard user requests for elevation.
SV-52949r1_ruleUser Account Control must be configured to detect application installations and prompt for elevation.
SV-52950r1_ruleUser Account Control must only elevate UIAccess applications that are installed in secure locations.
SV-52951r1_ruleUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-52952r1_ruleUser Account Control must switch to the secure desktop when prompting for elevation.
SV-52953r1_ruleUser Account Control must virtualize file and registry write failures to per-user locations.
SV-52955r2_ruleAdministrator accounts must not be enumerated during elevation.
SV-52958r1_rulePasswords must not be saved in the Remote Desktop Client.
SV-52959r1_ruleLocal drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
SV-52997r1_rulePrinting over HTTP must be prevented.
SV-52998r1_ruleDownloading print driver packages over HTTP must be prevented.
SV-53000r1_ruleWindows must be prevented from using Windows Update to search for drivers.
SV-53002r1_ruleZone information must be preserved when saving attachments.
SV-53004r1_ruleMechanisms for removing zone information from file attachments must be hidden.
SV-53006r1_ruleThe system must notify antivirus when file attachments are opened.
SV-51185r3_ruleSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data-in-transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
SV-51186r2_ruleAnonymous access to the root DSE of a non-public directory must be disabled.
SV-51187r2_ruleDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
SV-51190r2_ruleDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-51188r2_ruleThe directory service must be configured to terminate LDAP-based network connections to the directory server after five (5) minutes of inactivity.
SV-51192r4_ruleActive directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
SV-53010r3_ruleThe HBSS McAfee Agent must be installed.
SV-53012r1_ruleWindows Peer-to-Peer networking services must be turned off.
SV-53014r2_ruleNetwork Bridges must be prohibited in Windows.
SV-53017r1_ruleEvent Viewer Events.asp links must be turned off.
SV-53021r1_ruleThe Internet File Association service must be turned off.
SV-53040r1_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-53045r1_ruleFile Explorer shell protocol must run in protected mode.
SV-53056r2_ruleUsers must be notified if a web-based program attempts to install software.
SV-53061r1_ruleUsers must be prevented from changing installation options.
SV-53065r1_ruleNonadministrators must be prevented from applying vendor-signed updates.
SV-53069r1_ruleUsers must not be presented with Privacy and Installation options on first use of Windows Media Player.
SV-53072r1_ruleThe Mapper I/O network protocol (LLTDIO) driver must be disabled.
SV-53081r1_ruleThe Responder network protocol driver must be disabled.
SV-53085r1_ruleThe configuration of wireless devices using Windows Connect Now must be disabled.
SV-53089r1_ruleThe Windows Connect Now wizards must be disabled.
SV-53094r1_ruleRemote access to the Plug and Play interface must be disabled for device installation.
SV-53099r1_ruleA system restore point must be created when a new device driver is installed.
SV-53105r1_ruleAn Error Report must not be sent when a generic device driver is installed.
SV-53115r1_ruleUsers must not be prompted to search Windows Update for device drivers.
SV-53116r1_ruleErrors in handwriting recognition on tablet PCs must not be reported to Microsoft.
SV-53131r1_ruleUsers must be prompted to authenticate on resume from sleep (on battery).
SV-53132r1_ruleThe user must be prompted to authenticate on resume from sleep (plugged in).
SV-53133r1_ruleRemote Assistance log files must be generated.
SV-53137r1_ruleTurning off File Explorer heap termination on corruption must be disabled.
SV-53139r1_ruleWindows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
SV-53140r2_ruleUsers must be prevented from sharing files in their profiles.
SV-53141r4_ruleSoftware certificate installation files must be removed from Windows 2012/2012 R2.
SV-52223r2_ruleUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
SV-52224r2_ruleUsers must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
SV-52226r2_ruleUsers must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
SV-52229r2_ruleUsers must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
SV-52230r2_ruleThe system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
SV-53142r1_ruleWindows must elevate all applications in User Account Control, not just signed ones.
SV-53143r1_ruleThe Windows Customer Experience Improvement Program must be disabled.
SV-53144r1_ruleThe Windows Help Experience Improvement Program must be disabled.
SV-53145r1_ruleWindows Help Ratings feedback must be turned off.
SV-52115r3_ruleThe Debug programs user right must only be assigned to the Administrators group.
SV-53175r1_ruleThe service principal name (SPN) target name validation level must be turned off.
SV-53176r1_ruleServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
SV-53177r1_ruleNTLM must be prevented from falling back to a Null session.
SV-53178r1_rulePKU2U authentication using online identities must be prevented.
SV-53179r4_ruleKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-53180r2_ruleIPv6 source routing must be configured to the highest protection level.
SV-53181r2_ruleIPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
SV-53182r1_ruleDomain users must be required to elevate when setting a networks location.
SV-53183r1_ruleAll Direct Access traffic must be routed through the internal network.
SV-53184r1_ruleWindows Update must be prevented from searching for point and print drivers.
SV-53185r2_ruleDevice metadata retrieval from the Internet must be prevented.
SV-53186r1_ruleDevice driver searches using Windows Update must be prevented.
SV-53187r1_ruleMicrosoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
SV-53188r1_ruleAccess to Windows Online Troubleshooting Service (WOTS) must be prevented.
SV-53128r1_ruleResponsiveness events must be prevented from being aggregated and sent to Microsoft.
SV-53127r1_ruleThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-53126r2_ruleAutoplay must be turned off for non-volume devices.
SV-53125r1_ruleExplorer Data Execution Prevention must be enabled.
SV-53124r2_ruleThe default Autorun behavior must be configured to prevent Autorun commands.
SV-53123r4_ruleStandard user accounts must only have Read permissions to the Winlogon registry key.
SV-53122r1_ruleAnonymous enumeration of SAM accounts must not be allowed.
SV-53121r2_ruleThe Windows dialog box title for the legal banner must be configured.
SV-53120r2_ruleThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-51142r2_ruleUnauthorized accounts must not have the Access this computer from the network user right on domain controllers.
SV-52110r3_ruleThe Allow log on locally user right must only be assigned to the Administrators group.
SV-53119r2_ruleThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
SV-52111r3_ruleThe Back up files and directories user right must only be assigned to the Administrators group.
SV-53063r2_ruleThe Create a pagefile user right must only be assigned to the Administrators group.
SV-52113r3_ruleThe Create a token object user right must not be assigned to any groups or accounts.
SV-52114r3_ruleThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-53059r2_ruleThe Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-53054r3_ruleThe Create symbolic links user right must only be assigned to the Administrators group.
SV-51145r1_ruleThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
SV-51146r1_ruleThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
SV-51147r1_ruleThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
SV-51148r1_ruleThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
SV-51149r1_ruleUnauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on domain controllers.
SV-53050r2_ruleThe Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-52116r3_ruleThe Generate security audits user right must only be assigned to Local Service and Network Service.
SV-52117r3_ruleThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-52118r3_ruleThe Increase scheduling priority user right must only be assigned to the Administrators group.
SV-53043r2_ruleThe Load and unload device drivers user right must only be assigned to the Administrators group.
SV-52119r3_ruleThe Lock pages in memory user right must not be assigned to any groups or accounts.
SV-53039r4_ruleThe Manage auditing and security log user right must only be assigned to the Administrators group.
SV-53029r2_ruleThe Modify firmware environment values user right must only be assigned to the Administrators group.
SV-53025r2_ruleThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-53022r2_ruleThe Profile single process user right must only be assigned to the Administrators group.
SV-52122r3_ruleThe Restore files and directories user right must only be assigned to the Administrators group.
SV-52123r3_ruleThe Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-53013r2_ruleThe system must be configured to audit Account Logon - Credential Validation successes.
SV-53011r2_ruleThe system must be configured to audit Account Logon - Credential Validation failures.
SV-52234r4_ruleWindows Server 2012/2012 R2 domain controllers must be configured to audit Account Management - Computer Account Management successes.
SV-53009r1_ruleThe system must be configured to audit Account Management - Other Account Management Events successes.
SV-53007r2_ruleThe system must be configured to audit Account Management - Security Group Management successes.
SV-53003r2_ruleThe system must be configured to audit Account Management - User Account Management successes.
SV-53001r2_ruleThe system must be configured to audit Account Management - User Account Management failures.
SV-52999r1_ruleThe system must be configured to audit Detailed Tracking - Process Creation successes.
SV-52996r2_ruleThe system must be configured to audit Logon/Logoff - Logoff successes.
SV-52994r2_ruleThe system must be configured to audit Logon/Logoff - Logon successes.
SV-52993r2_ruleThe system must be configured to audit Logon/Logoff - Logon failures.
SV-52987r1_ruleThe system must be configured to audit Logon/Logoff - Special Logon successes.
SV-52983r1_ruleThe system must be configured to audit Policy Change - Audit Policy Change successes.
SV-52982r1_ruleThe system must be configured to audit Policy Change - Audit Policy Change failures.
SV-52981r1_ruleThe system must be configured to audit Policy Change - Authentication Policy Change successes.
SV-52980r1_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-52979r1_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-52978r1_ruleThe system must be configured to audit System - IPsec Driver successes.
SV-52977r1_ruleThe system must be configured to audit System - IPsec Driver failures.
SV-52976r1_ruleThe system must be configured to audit System - Security State Change successes.
SV-52974r1_ruleThe system must be configured to audit System - Security System Extension successes.
SV-52972r1_ruleThe system must be configured to audit System - System Integrity successes.
SV-52971r1_ruleThe system must be configured to audit System - System Integrity failures.
SV-52970r1_ruleThe 6to4 IPv6 transition technology must be disabled.
SV-52969r1_ruleThe IP-HTTPS IPv6 transition technology must be disabled.
SV-52968r1_ruleThe ISATAP IPv6 transition technology must be disabled.
SV-52967r1_ruleThe Teredo IPv6 transition technology must be disabled.
SV-52966r2_ruleThe Application event log size must be configured to 32768 KB or greater.
SV-52965r2_ruleThe Security event log size must be configured to 196608 KB or greater.
SV-52964r2_ruleThe Setup event log size must be configured to 32768 KB or greater.
SV-52963r2_ruleThe System event log size must be configured to 32768 KB or greater.
SV-52236r2_ruleThe Fax service must be disabled if installed.
SV-52237r4_ruleThe Microsoft FTP service must not be installed unless required.
SV-52238r2_ruleThe Peer Networking Identity Manager service must be disabled if installed.
SV-52239r2_ruleThe Simple TCP/IP Services service must be disabled if installed.
SV-52240r2_ruleThe Telnet service must be disabled if installed.
SV-51191r5_rulePKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-52962r1_ruleWindows must be prevented from sending an error report when a device driver requests additional software during installation.
SV-51143r2_ruleUnauthorized accounts must not have the Add workstations to domain user right.
SV-52961r6_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-52957r7_ruleThe DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
SV-52956r3_ruleStandard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
SV-51151r2_ruleThe system must be configured to audit DS Access - Directory Service Access successes.
SV-51152r2_ruleThe system must be configured to audit DS Access - Directory Service Access failures.
SV-51153r2_ruleThe system must be configured to audit DS Access - Directory Service Changes successes.
SV-51155r2_ruleThe system must be configured to audit DS Access - Directory Service Changes failures.
SV-51177r5_ruleActive Directory Group Policy objects must have proper access control permissions.
SV-52954r1_ruleThe Windows Installer Always install with elevated privileges option must be disabled.
SV-51578r2_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-51758r2_ruleA screen saver must be enabled on the system.
SV-51760r1_ruleThe screen saver must be password protected.
SV-51575r2_ruleUsers with administrative privilege must be documented.
SV-51576r1_ruleUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
SV-51579r1_rulePolicy must require application account passwords be at least 15 characters in length.
SV-51580r3_ruleWindows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
SV-51577r1_rulePolicy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
SV-51604r2_ruleThe system must be configured to audit Object Access - Removable Storage failures.
SV-51601r2_ruleThe system must be configured to audit Object Access - Removable Storage successes.
SV-51561r1_ruleAudit data must be reviewed on a regular basis.
SV-51563r1_ruleAudit data must be retained for at least one year.
SV-51566r2_ruleAudit records must be backed up onto a different system or media than the system being audited.
SV-51605r1_ruleIP stateless autoconfiguration limits state must be enabled.
SV-51606r1_ruleOptional component installation and component repair must be prevented from using Windows Update.
SV-51607r1_ruleDevice driver updates must only search managed servers, not Windows Update.
SV-51608r1_ruleEarly Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
SV-51609r2_ruleAccess to the Windows Store must be turned off.
SV-51610r1_ruleCopying of user input methods to the system account for sign-in must be prevented.
SV-51611r1_ruleLocal users on domain-joined computers must not be enumerated.
SV-51612r1_ruleApp notifications on the lock screen must be turned off.
SV-51737r2_ruleThe detection of compatibility issues for applications and drivers must be turned off.
SV-51738r1_ruleTrusted app installation must be enabled to allow for signed enterprise line of business apps.
SV-51739r1_ruleThe use of biometrics must be disabled.
SV-51740r1_ruleThe password reveal button must not be displayed.
SV-51747r5_ruleWindows SmartScreen must be enabled on Windows 2012/2012 R2.
SV-51748r2_ruleThe location feature must be turned off.
SV-51749r1_ruleBasic authentication for RSS feeds over HTTP must be turned off.
SV-51750r2_ruleAutomatic download of updates from the Windows Store must be turned off.
SV-51751r2_ruleThe Windows Store application must be turned off.
SV-51752r1_ruleThe Windows Remote Management (WinRM) client must not use Basic authentication.
SV-51753r2_ruleThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-51754r1_ruleThe Windows Remote Management (WinRM) client must not use Digest authentication.
SV-51755r2_ruleThe Windows Remote Management (WinRM) service must not use Basic authentication.
SV-51756r2_ruleThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-51757r1_ruleThe Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-51569r1_rulePermissions for the Application event log must prevent access by nonprivileged accounts.
SV-51571r1_rulePermissions for the Security event log must prevent access by nonprivileged accounts.
SV-51572r1_rulePermissions for the System event log must prevent access by nonprivileged accounts.
SV-51581r2_ruleUser-level information must be backed up in accordance with local recovery time and recovery point objectives.
SV-51582r3_ruleWindows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-51583r2_ruleThe system must support automated patch management tools to facilitate flaw remediation.
SV-51584r1_ruleThe system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
SV-51596r2_ruleThe machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
SV-51762r1_ruleNotifications from Windows Push Network Service must be turned off.
SV-51763r1_ruleToast notifications to the lock screen must be turned off.
SV-51169r5_ruleActive Directory Group Policy objects must be configured with proper audit settings.
SV-51170r2_ruleThe Active Directory Domain object must be configured with proper audit settings.
SV-51171r2_ruleThe Active Directory Infrastructure object must be configured with proper audit settings.
SV-51172r2_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
SV-51173r2_ruleThe Active Directory AdminSDHolder object must be configured with proper audit settings.
SV-51174r3_ruleThe Active Directory RID Manager$ object must be configured with proper audit settings.
SV-51176r2_ruleThe Active Directory SYSVOL directory must have the proper access control permissions.
SV-51178r4_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
SV-51179r3_ruleDomain created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
SV-51189r2_ruleDomain controllers must have a PKI server certificate.
SV-52130r2_ruleBackups of system-level information must be protected.
SV-52131r3_ruleSystem-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
SV-52135r3_rulePermissions for program file directories must conform to minimum requirements.
SV-52136r3_rulePermissions for system drive root directory (usually C:\) must conform to minimum requirements.
SV-52137r3_rulePermissions for Windows installation directory must conform to minimum requirements.
SV-52157r2_ruleMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-52159r3_ruleThe system must be configured to audit Object Access - Central Access Policy Staging failures.
SV-52161r3_ruleThe system must be configured to audit Object Access - Central Access Policy Staging successes.
SV-52163r2_ruleOnly the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
SV-52165r2_ruleThe Smart Card Removal Policy service must be configured to automatic.
SV-52196r6_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
SV-55085r1_ruleA host-based firewall must be installed and enabled on the system.
SV-56343r2_ruleThe display of slide shows on the lock screen must be disabled (Windows 2012 R2).
SV-56344r3_ruleWindows 2012 R2 must include command line data in process creation events.
SV-56346r2_ruleThe network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).
SV-56353r2_ruleThe setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).
SV-56355r2_ruleAutomatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).
SV-72043r1_ruleThe system must be configured to audit Policy Change - Authorization Policy Change successes.
SV-72047r5_ruleThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-72049r2_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-72051r1_ruleProtection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
SV-72055r1_ruleSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
SV-72063r2_ruleWindows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
SV-72065r3_ruleWindows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-72133r1_ruleThe operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
SV-72135r2_ruleEvent Viewer must be protected from unauthorized modification and deletion.
SV-87391r1_ruleWDigest Authentication must be disabled.
SV-88193r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-88205r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-88471r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.
SV-90603r1_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
SV-92765r2_ruleWindows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-92769r2_ruleWindows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-92773r2_ruleWindows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
SV-92781r2_ruleWindows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
SV-95179r1_ruleWindows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.
SV-95183r2_rulePowerShell script block logging must be enabled on Windows 2012/2012 R2.
SV-95185r1_ruleWindows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.
SV-101879r2_ruleThe password for the krbtgt account on a domain must be reset at least every 180 days.