STIGQter STIGQter: STIG Summary: Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide

Version: 2

Release: 17 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-52838r1_ruleServer systems must be located in a controlled access area, accessible only to authorized personnel.
SV-52839r2_ruleShared user accounts must not be permitted on the system.
SV-53189r2_ruleSystems must be maintained at a supported service pack level.
SV-52103r4_ruleThe Windows 2012 / 2012 R2 system must use an anti-virus program.
SV-52840r1_ruleThe shutdown option must not be available from the logon dialog box.
SV-52841r2_ruleSystem-level information must be backed up in accordance with local recovery time and recovery point objectives.
SV-52843r3_ruleLocal volumes must use a format that supports NTFS attributes.
SV-52845r3_ruleThe required legal notice must be configured to display before console logon.
SV-52846r2_ruleCaching of logon credentials must be limited.
SV-52847r1_ruleAnonymous enumeration of shares must be restricted.
SV-52848r1_ruleThe number of allowed bad logon attempts must meet minimum requirements.
SV-52849r2_ruleThe reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.
SV-52850r2_ruleWindows 2012 account lockout duration must be configured to 15 minutes or greater.
SV-52108r3_ruleThe Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-52851r1_ruleThe maximum password age must meet requirements.
SV-52852r1_ruleThe minimum password age must meet requirements.
SV-52853r2_ruleThe password history must be configured to 24 passwords remembered.
SV-52854r4_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-52855r1_ruleThe built-in guest account must be disabled.
SV-52856r1_ruleThe built-in guest account must be renamed.
SV-52857r1_ruleThe built-in administrator account must be renamed.
SV-52858r1_ruleThe system must not boot into multiple operating systems (dual-boot).
SV-52106r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent anonymous logons.
SV-52212r2_ruleFile Transfer Protocol (FTP) servers must be configured to prevent access to the system drive.
SV-51511r4_ruleOnly administrators responsible for the member server must have Administrator rights on the system.
SV-52859r2_ruleSecurity configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.
SV-52213r2_ruleNonadministrative user accounts or groups must only have print permissions on printer shares.
SV-52860r1_ruleUsers must be forcibly disconnected when their logon hours expire.
SV-52861r2_ruleUnencrypted passwords must not be sent to third-party SMB Servers.
SV-52107r2_ruleAutomatic logons must be disabled.
SV-52863r2_ruleThe built-in Windows password complexity policy must be enabled.
SV-52214r2_ruleThe print driver installation privilege must be restricted to administrators.
SV-52864r3_ruleAnonymous access to the registry must be restricted.
SV-52865r1_ruleThe LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
SV-52866r1_ruleThe Ctrl+Alt+Del security attention sequence for logons must be enabled.
SV-51501r6_ruleThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
SV-52867r2_ruleThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-52870r2_ruleThe Windows SMB server must perform SMB packet signing when possible.
SV-52871r3_ruleOutgoing secure channel traffic must be encrypted when possible.
SV-52872r3_ruleOutgoing secure channel traffic must be signed when possible.
SV-52873r1_ruleThe computer account password must not be prevented from being reset.
SV-52874r2_ruleThe Windows SMB client must be enabled to perform SMB packet signing when possible.
SV-52156r2_ruleMembers of the Backup Operators group must be documented.
SV-52875r1_ruleEjection of removable NTFS media must be restricted to Administrators.
SV-52876r1_ruleUsers must be warned in advance of their passwords expiring.
SV-52877r1_ruleThe default permissions of global system objects must be increased.
SV-52878r3_ruleThe amount of idle time required before suspending a session must be properly set.
SV-52880r1_ruleReversible password encryption must be disabled.
SV-52879r2_ruleAutoplay must be disabled for all drives.
SV-52215r2_ruleSystem files must be monitored for unauthorized changes.
SV-52881r3_ruleNon system-created file shares on a system must limit access to groups that require it.
SV-52105r3_ruleServers must have a host-based Intrusion Detection System.
SV-52882r1_ruleAnonymous SID/Name translation must not be allowed.
SV-51497r2_ruleNamed pipes that can be accessed anonymously must be configured to contain no values on member servers.
SV-52883r2_ruleUnauthorized remotely accessible registry paths must not be configured.
SV-52884r1_ruleNetwork shares that can be accessed anonymously must not be allowed.
SV-52885r1_ruleSolicited Remote Assistance must not be allowed.
SV-52886r1_ruleLocal accounts with blank passwords must be restricted to prevent access from the network.
SV-52887r1_ruleThe maximum age for machine account passwords must be set to requirements.
SV-52888r2_ruleThe system must be configured to require a strong session key.
SV-52890r1_ruleThe system must be configured to prevent anonymous users from having the same rights as the Everyone group.
SV-52891r1_ruleThe system must be configured to use the Classic security model.
SV-52892r2_ruleThe system must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-52893r1_ruleThe system must be configured to force users to log off when their allowed logon hours expire.
SV-52894r1_ruleThe system must be configured to the required LDAP client signing level.
SV-52895r1_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP-based clients.
SV-52896r2_ruleThe system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-52897r1_ruleThe system must be configured to require case insensitivity for non-Windows subsystems.
SV-52216r2_ruleRemote Desktop Services must limit users to one remote session.
SV-52898r1_ruleRemote Desktop Services must always prompt a client for passwords upon connection.
SV-52899r2_ruleRemote Desktop Services must be configured with the client connection encryption set to the required level.
SV-52900r1_ruleRemote Desktop Services must be configured to use session-specific temporary folders.
SV-52901r1_ruleRemote Desktop Services must delete temporary folders when a session is terminated.
SV-52906r1_ruleGroup Policies must be refreshed in the background if the user is logged on.
SV-52917r1_ruleThe system must be configured to prevent unsolicited remote assistance offers.
SV-52919r3_ruleThe time service must synchronize with an appropriate DoD time source.
SV-52920r1_ruleThe system must be configured to use Safe DLL Search Mode.
SV-53130r1_ruleWindows Media Player must be configured to prevent automatic checking for updates.
SV-52921r1_ruleMedia Player must be configured to prevent automatic Codec downloads.
SV-52218r2_ruleNecessary services must be documented to maintain a baseline to determine if additional, unnecessary services have been added to a system.
SV-52922r1_ruleThe system must be configured to meet the minimum session security requirement for NTLM SSP-based servers.
SV-52923r2_ruleThe system must generate an audit event when the audit log reaches a percentage of full threshold.
SV-52924r1_ruleThe system must be configured to prevent IP source routing.
SV-52925r1_ruleThe system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
SV-52926r1_ruleThe system must be configured to disable the Internet Router Discovery Protocol (IRDP).
SV-52927r1_ruleThe system must be configured to limit how often keep-alive packets are sent.
SV-52928r2_ruleThe system must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-52929r2_ruleThe system must limit how many times unacknowledged TCP data is retransmitted.
SV-52930r1_ruleThe system must be configured to have password protection take effect within a limited time frame when the screen saver becomes active.
SV-52931r2_ruleUnauthorized remotely accessible registry paths and sub-paths must not be configured.
SV-52219r2_ruleOptional Subsystems must not be permitted to operate on the system.
SV-52932r2_ruleThe Remote Desktop Session Host must require secure RPC communications.
SV-52933r1_ruleGroup Policy objects must be reprocessed even if they have not changed.
SV-52934r2_ruleOutgoing secure channel traffic must be encrypted or signed.
SV-52935r2_ruleThe Windows SMB client must be configured to always perform SMB packet signing.
SV-52936r2_ruleThe Windows SMB server must be configured to always perform SMB packet signing.
SV-52937r1_ruleAnonymous access to Named Pipes and Shares must be restricted.
SV-52938r2_rulePasswords must, at a minimum, be 14 characters.
SV-52939r4_ruleWindows 2012/2012 R2 passwords must be configured to expire.
SV-52940r3_ruleWindows 2012/2012 R2 accounts must be configured to require passwords.
SV-52941r1_ruleThe system must be configured to prevent the display of the last username on the logon screen.
SV-52942r3_ruleWindows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
SV-53129r1_ruleAuditing the Access of Global System Objects must be turned off.
SV-52943r1_ruleAuditing of Backup and Restore Privileges must be turned off.
SV-52944r1_ruleAudit policy using subcategories must be enabled.
SV-52945r1_ruleIPSec Exemptions must be limited.
SV-52946r1_ruleUser Account Control approval mode for the built-in Administrator must be enabled.
SV-52947r1_ruleUser Account Control must, at minimum, prompt administrators for consent.
SV-52948r1_ruleUser Account Control must automatically deny standard user requests for elevation.
SV-52949r1_ruleUser Account Control must be configured to detect application installations and prompt for elevation.
SV-52950r1_ruleUser Account Control must only elevate UIAccess applications that are installed in secure locations.
SV-52951r1_ruleUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-52952r1_ruleUser Account Control must switch to the secure desktop when prompting for elevation.
SV-52953r1_ruleUser Account Control must virtualize file and registry write failures to per-user locations.
SV-52955r2_ruleAdministrator accounts must not be enumerated during elevation.
SV-52958r1_rulePasswords must not be saved in the Remote Desktop Client.
SV-52959r1_ruleLocal drives must be prevented from sharing with Remote Desktop Session Hosts. (Remote Desktop Services Role).
SV-52988r2_ruleUnauthenticated RPC clients must be restricted from connecting to the RPC server.
SV-52997r1_rulePrinting over HTTP must be prevented.
SV-52998r1_ruleDownloading print driver packages over HTTP must be prevented.
SV-53000r1_ruleWindows must be prevented from using Windows Update to search for drivers.
SV-53002r1_ruleZone information must be preserved when saving attachments.
SV-53004r1_ruleMechanisms for removing zone information from file attachments must be hidden.
SV-53006r1_ruleThe system must notify antivirus when file attachments are opened.
SV-53010r3_ruleThe HBSS McAfee Agent must be installed.
SV-53012r1_ruleWindows Peer-to-Peer networking services must be turned off.
SV-53014r2_ruleNetwork Bridges must be prohibited in Windows.
SV-53017r1_ruleEvent Viewer Events.asp links must be turned off.
SV-53021r1_ruleThe Internet File Association service must be turned off.
SV-53040r1_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-53045r1_ruleFile Explorer shell protocol must run in protected mode.
SV-53056r2_ruleUsers must be notified if a web-based program attempts to install software.
SV-53061r1_ruleUsers must be prevented from changing installation options.
SV-53065r1_ruleNonadministrators must be prevented from applying vendor-signed updates.
SV-53069r1_ruleUsers must not be presented with Privacy and Installation options on first use of Windows Media Player.
SV-53072r1_ruleThe Mapper I/O network protocol (LLTDIO) driver must be disabled.
SV-53081r1_ruleThe Responder network protocol driver must be disabled.
SV-53085r1_ruleThe configuration of wireless devices using Windows Connect Now must be disabled.
SV-53089r1_ruleThe Windows Connect Now wizards must be disabled.
SV-53094r1_ruleRemote access to the Plug and Play interface must be disabled for device installation.
SV-53099r1_ruleA system restore point must be created when a new device driver is installed.
SV-53105r1_ruleAn Error Report must not be sent when a generic device driver is installed.
SV-53115r1_ruleUsers must not be prompted to search Windows Update for device drivers.
SV-53116r1_ruleErrors in handwriting recognition on tablet PCs must not be reported to Microsoft.
SV-53131r1_ruleUsers must be prompted to authenticate on resume from sleep (on battery).
SV-53132r1_ruleThe user must be prompted to authenticate on resume from sleep (plugged in).
SV-53133r1_ruleRemote Assistance log files must be generated.
SV-53137r1_ruleTurning off File Explorer heap termination on corruption must be disabled.
SV-53139r1_ruleWindows Media Digital Rights Management (DRM) must be prevented from accessing the Internet.
SV-53140r2_ruleUsers must be prevented from sharing files in their profiles.
SV-53141r4_ruleSoftware certificate installation files must be removed from Windows 2012/2012 R2.
SV-52223r2_ruleUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
SV-52224r2_ruleUsers must be prevented from mapping local COM ports and redirecting data from the Remote Desktop Session Host to local COM ports. (Remote Desktop Services Role).
SV-52226r2_ruleUsers must be prevented from mapping local LPT ports and redirecting data from the Remote Desktop Session Host to local LPT ports. (Remote Desktop Services Role).
SV-52229r2_ruleUsers must be prevented from redirecting Plug and Play devices to the Remote Desktop Session Host. (Remote Desktop Services Role).
SV-52230r2_ruleThe system must be configured to ensure smart card devices can be redirected to the Remote Desktop session. (Remote Desktop Services Role).
SV-53142r1_ruleWindows must elevate all applications in User Account Control, not just signed ones.
SV-53143r1_ruleThe Windows Customer Experience Improvement Program must be disabled.
SV-53144r1_ruleThe Windows Help Experience Improvement Program must be disabled.
SV-53145r1_ruleWindows Help Ratings feedback must be turned off.
SV-52115r3_ruleThe Debug programs user right must only be assigned to the Administrators group.
SV-53175r1_ruleThe service principal name (SPN) target name validation level must be turned off.
SV-53176r1_ruleServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously.
SV-53177r1_ruleNTLM must be prevented from falling back to a Null session.
SV-53178r1_rulePKU2U authentication using online identities must be prevented.
SV-53179r4_ruleKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-53180r2_ruleIPv6 source routing must be configured to the highest protection level.
SV-53181r2_ruleIPv6 TCP data retransmissions must be configured to prevent resources from becoming exhausted.
SV-53182r1_ruleDomain users must be required to elevate when setting a networks location.
SV-53183r1_ruleAll Direct Access traffic must be routed through the internal network.
SV-53184r1_ruleWindows Update must be prevented from searching for point and print drivers.
SV-53185r2_ruleDevice metadata retrieval from the Internet must be prevented.
SV-53186r1_ruleDevice driver searches using Windows Update must be prevented.
SV-53187r1_ruleMicrosoft Support Diagnostic Tool (MSDT) interactive communication with Microsoft must be prevented.
SV-53188r1_ruleAccess to Windows Online Troubleshooting Service (WOTS) must be prevented.
SV-53128r1_ruleResponsiveness events must be prevented from being aggregated and sent to Microsoft.
SV-53127r1_ruleThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-53126r2_ruleAutoplay must be turned off for non-volume devices.
SV-53125r1_ruleExplorer Data Execution Prevention must be enabled.
SV-53124r2_ruleThe default Autorun behavior must be configured to prevent Autorun commands.
SV-53123r4_ruleStandard user accounts must only have Read permissions to the Winlogon registry key.
SV-53122r1_ruleAnonymous enumeration of SAM accounts must not be allowed.
SV-53121r2_ruleThe Windows dialog box title for the legal banner must be configured.
SV-53120r2_ruleThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-51499r4_ruleThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
SV-52110r3_ruleThe Allow log on locally user right must only be assigned to the Administrators group.
SV-83319r1_ruleThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group and other approved groups.
SV-52111r3_ruleThe Back up files and directories user right must only be assigned to the Administrators group.
SV-53063r2_ruleThe Create a pagefile user right must only be assigned to the Administrators group.
SV-52113r3_ruleThe Create a token object user right must not be assigned to any groups or accounts.
SV-52114r3_ruleThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-53059r2_ruleThe Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-53054r3_ruleThe Create symbolic links user right must only be assigned to the Administrators group.
SV-51502r1_ruleThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.
SV-51504r1_ruleThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
SV-51508r3_ruleThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems.
SV-51509r5_ruleThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems, and from unauthenticated access on all systems.
SV-51500r1_ruleUnauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right on member servers.
SV-53050r2_ruleThe Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-52116r3_ruleThe Generate security audits user right must only be assigned to Local Service and Network Service.
SV-52117r3_ruleThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-52118r3_ruleThe Increase scheduling priority user right must only be assigned to the Administrators group.
SV-53043r2_ruleThe Load and unload device drivers user right must only be assigned to the Administrators group.
SV-52119r3_ruleThe Lock pages in memory user right must not be assigned to any groups or accounts.
SV-53039r4_ruleThe Manage auditing and security log user right must only be assigned to the Administrators group.
SV-53029r2_ruleThe Modify firmware environment values user right must only be assigned to the Administrators group.
SV-53025r2_ruleThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-53022r2_ruleThe Profile single process user right must only be assigned to the Administrators group.
SV-52122r3_ruleThe Restore files and directories user right must only be assigned to the Administrators group.
SV-52123r3_ruleThe Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-53013r2_ruleThe system must be configured to audit Account Logon - Credential Validation successes.
SV-53011r2_ruleThe system must be configured to audit Account Logon - Credential Validation failures.
SV-53009r1_ruleThe system must be configured to audit Account Management - Other Account Management Events successes.
SV-53007r2_ruleThe system must be configured to audit Account Management - Security Group Management successes.
SV-53003r2_ruleThe system must be configured to audit Account Management - User Account Management successes.
SV-53001r2_ruleThe system must be configured to audit Account Management - User Account Management failures.
SV-52999r1_ruleThe system must be configured to audit Detailed Tracking - Process Creation successes.
SV-52996r2_ruleThe system must be configured to audit Logon/Logoff - Logoff successes.
SV-52994r2_ruleThe system must be configured to audit Logon/Logoff - Logon successes.
SV-52993r2_ruleThe system must be configured to audit Logon/Logoff - Logon failures.
SV-52987r1_ruleThe system must be configured to audit Logon/Logoff - Special Logon successes.
SV-52983r1_ruleThe system must be configured to audit Policy Change - Audit Policy Change successes.
SV-52982r1_ruleThe system must be configured to audit Policy Change - Audit Policy Change failures.
SV-52981r1_ruleThe system must be configured to audit Policy Change - Authentication Policy Change successes.
SV-52980r1_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-52979r1_ruleThe system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-52978r1_ruleThe system must be configured to audit System - IPsec Driver successes.
SV-52977r1_ruleThe system must be configured to audit System - IPsec Driver failures.
SV-52976r1_ruleThe system must be configured to audit System - Security State Change successes.
SV-52974r1_ruleThe system must be configured to audit System - Security System Extension successes.
SV-52972r1_ruleThe system must be configured to audit System - System Integrity successes.
SV-52971r1_ruleThe system must be configured to audit System - System Integrity failures.
SV-52970r1_ruleThe 6to4 IPv6 transition technology must be disabled.
SV-52969r1_ruleThe IP-HTTPS IPv6 transition technology must be disabled.
SV-52968r1_ruleThe ISATAP IPv6 transition technology must be disabled.
SV-52967r1_ruleThe Teredo IPv6 transition technology must be disabled.
SV-52966r2_ruleThe Application event log size must be configured to 32768 KB or greater.
SV-52965r2_ruleThe Security event log size must be configured to 196608 KB or greater.
SV-52964r2_ruleThe Setup event log size must be configured to 32768 KB or greater.
SV-52963r2_ruleThe System event log size must be configured to 32768 KB or greater.
SV-52236r2_ruleThe Fax service must be disabled if installed.
SV-52237r4_ruleThe Microsoft FTP service must not be installed unless required.
SV-52238r2_ruleThe Peer Networking Identity Manager service must be disabled if installed.
SV-52239r2_ruleThe Simple TCP/IP Services service must be disabled if installed.
SV-52240r2_ruleThe Telnet service must be disabled if installed.
SV-52962r1_ruleWindows must be prevented from sending an error report when a device driver requests additional software during installation.
SV-52961r6_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-52957r7_ruleThe DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
SV-52956r3_ruleStandard user accounts must only have Read permissions to the Active Setup\Installed Components registry key.
SV-52954r1_ruleThe Windows Installer Always install with elevated privileges option must be disabled.
SV-51590r3_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-51578r2_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-51758r2_ruleA screen saver must be enabled on the system.
SV-51760r1_ruleThe screen saver must be password protected.
SV-51575r2_ruleUsers with administrative privilege must be documented.
SV-51576r1_ruleUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
SV-51579r1_rulePolicy must require application account passwords be at least 15 characters in length.
SV-51580r3_ruleWindows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
SV-51577r1_rulePolicy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
SV-51604r2_ruleThe system must be configured to audit Object Access - Removable Storage failures.
SV-51601r2_ruleThe system must be configured to audit Object Access - Removable Storage successes.
SV-51561r1_ruleAudit data must be reviewed on a regular basis.
SV-51563r1_ruleAudit data must be retained for at least one year.
SV-51566r2_ruleAudit records must be backed up onto a different system or media than the system being audited.
SV-51605r1_ruleIP stateless autoconfiguration limits state must be enabled.
SV-51606r1_ruleOptional component installation and component repair must be prevented from using Windows Update.
SV-51607r1_ruleDevice driver updates must only search managed servers, not Windows Update.
SV-51608r1_ruleEarly Launch Antimalware, Boot-Start Driver Initialization Policy must be enabled and configured to only Good and Unknown.
SV-51609r2_ruleAccess to the Windows Store must be turned off.
SV-51610r1_ruleCopying of user input methods to the system account for sign-in must be prevented.
SV-51611r1_ruleLocal users on domain-joined computers must not be enumerated.
SV-51612r1_ruleApp notifications on the lock screen must be turned off.
SV-51737r2_ruleThe detection of compatibility issues for applications and drivers must be turned off.
SV-51738r1_ruleTrusted app installation must be enabled to allow for signed enterprise line of business apps.
SV-51739r1_ruleThe use of biometrics must be disabled.
SV-51740r1_ruleThe password reveal button must not be displayed.
SV-51747r5_ruleWindows SmartScreen must be enabled on Windows 2012/2012 R2.
SV-51748r2_ruleThe location feature must be turned off.
SV-51749r1_ruleBasic authentication for RSS feeds over HTTP must be turned off.
SV-51750r2_ruleAutomatic download of updates from the Windows Store must be turned off.
SV-51751r2_ruleThe Windows Store application must be turned off.
SV-51752r1_ruleThe Windows Remote Management (WinRM) client must not use Basic authentication.
SV-51753r2_ruleThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-51754r1_ruleThe Windows Remote Management (WinRM) client must not use Digest authentication.
SV-51755r2_ruleThe Windows Remote Management (WinRM) service must not use Basic authentication.
SV-51756r2_ruleThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-51757r1_ruleThe Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-51569r1_rulePermissions for the Application event log must prevent access by nonprivileged accounts.
SV-51571r1_rulePermissions for the Security event log must prevent access by nonprivileged accounts.
SV-51572r1_rulePermissions for the System event log must prevent access by nonprivileged accounts.
SV-51581r2_ruleUser-level information must be backed up in accordance with local recovery time and recovery point objectives.
SV-51582r3_ruleWindows Server 2012 / 2012 R2 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-51583r2_ruleThe system must support automated patch management tools to facilitate flaw remediation.
SV-51584r1_ruleThe system must query the certification authority to determine whether a public key certificate has been revoked before accepting the certificate for authentication purposes.
SV-51596r2_ruleThe machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
SV-51762r1_ruleNotifications from Windows Push Network Service must be turned off.
SV-51763r1_ruleToast notifications to the lock screen must be turned off.
SV-52130r2_ruleBackups of system-level information must be protected.
SV-52131r3_ruleSystem-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
SV-52135r3_rulePermissions for program file directories must conform to minimum requirements.
SV-52136r3_rulePermissions for system drive root directory (usually C:\) must conform to minimum requirements.
SV-52137r3_rulePermissions for Windows installation directory must conform to minimum requirements.
SV-52157r2_ruleMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-52159r3_ruleThe system must be configured to audit Object Access - Central Access Policy Staging failures.
SV-52161r3_ruleThe system must be configured to audit Object Access - Central Access Policy Staging successes.
SV-52163r2_ruleOnly the default client printer must be redirected to the Remote Desktop Session Host. (Remote Desktop Services Role).
SV-52165r2_ruleThe Smart Card Removal Policy service must be configured to automatic.
SV-52196r6_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems.
SV-55085r1_ruleA host-based firewall must be installed and enabled on the system.
SV-56343r2_ruleThe display of slide shows on the lock screen must be disabled (Windows 2012 R2).
SV-56344r3_ruleWindows 2012 R2 must include command line data in process creation events.
SV-56346r2_ruleThe network selection user interface (UI) must not be displayed on the logon screen (Windows 2012 R2).
SV-56353r2_ruleThe setting to allow Microsoft accounts to be optional for modern style apps must be enabled (Windows 2012 R2).
SV-56355r2_ruleAutomatically signing in the last interactive user after a system-initiated restart must be disabled (Windows 2012 R2).
SV-72043r1_ruleThe system must be configured to audit Policy Change - Authorization Policy Change successes.
SV-72047r5_ruleThe operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-72049r2_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-72051r1_ruleProtection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
SV-72055r1_ruleSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
SV-72063r2_ruleWindows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
SV-72065r3_ruleWindows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-72133r1_ruleThe operating system must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
SV-72135r2_ruleEvent Viewer must be protected from unauthorized modification and deletion.
SV-87391r1_ruleWDigest Authentication must be disabled.
SV-88193r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-88205r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-88471r2_ruleThe Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.
SV-90603r1_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
SV-92765r2_ruleWindows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-92769r2_ruleWindows Server 2012/2012 R2 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-92773r2_ruleWindows Server 2012/2012 R2 must be configured to audit System - Other System Events successes.
SV-92781r2_ruleWindows Server 2012/2012 R2 must be configured to audit System - Other System Events failures.
SV-95179r1_ruleWindows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.
SV-95183r2_rulePowerShell script block logging must be enabled on Windows 2012/2012 R2.
SV-95185r1_ruleWindows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.