STIGQter STIGQter: STIG Summary: Windows Server 2016 Security Technical Implementation Guide

Version: 1

Release: 10 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-87869r1_ruleUsers with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
SV-87871r1_ruleOnly administrators responsible for the domain controller must have Administrator rights on the system.
SV-87873r2_ruleOnly administrators responsible for the member server or standalone system must have Administrator rights on the system.
SV-87875r2_rulePasswords for the built-in Administrator account must be changed at least every 60 days.
SV-87877r1_ruleAdministrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-87879r1_ruleMembers of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-87881r1_ruleManually managed application account passwords must be at least 15 characters in length.
SV-87883r2_ruleManually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
SV-87885r2_ruleShared user accounts must not be permitted on the system.
SV-87887r2_ruleWindows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-87889r2_ruleWindows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
SV-87891r1_ruleSystems must be maintained at a supported servicing level.
SV-87893r2_ruleThe Windows Server 2016 system must use an anti-virus program.
SV-87897r1_ruleServers must have a host-based intrusion detection or prevention system.
SV-87899r1_ruleLocal volumes must use a format that supports NTFS attributes.
SV-87901r1_rulePermissions for the system drive root directory (usually C:\) must conform to minimum requirements.
SV-87903r1_rulePermissions for program file directories must conform to minimum requirements.
SV-87905r1_rulePermissions for the Windows installation directory must conform to minimum requirements.
SV-87907r1_ruleDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
SV-87909r1_ruleNon-administrative accounts or groups must only have print permissions on printer shares.
SV-87911r2_ruleOutdated or unused accounts must be removed from the system or disabled.
SV-87913r4_ruleWindows Server 2016 accounts must require passwords.
SV-87915r2_rulePasswords must be configured to expire.
SV-87917r1_ruleSystem files must be monitored for unauthorized changes.
SV-87919r1_ruleNon-system-created file shares on a system must limit access to groups that require it.
SV-87923r2_ruleSoftware certificate installation files must be removed from Windows Server 2016.
SV-87925r1_ruleSystems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
SV-87927r1_ruleProtection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
SV-87929r1_ruleThe roles and features required by the system must be documented.
SV-87931r1_ruleA host-based firewall must be installed and enabled on the system.
SV-87933r2_ruleWindows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-87935r1_ruleWindows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
SV-87937r1_ruleWindows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-87939r1_ruleThe Fax Server role must not be installed.
SV-87941r1_ruleThe Microsoft FTP service must not be installed unless required.
SV-87943r1_ruleThe Peer Name Resolution Protocol must not be installed.
SV-87945r1_ruleSimple TCP/IP Services must not be installed.
SV-87947r1_ruleThe Telnet Client must not be installed.
SV-87949r1_ruleThe TFTP Client must not be installed.
SV-87951r2_ruleThe Server Message Block (SMB) v1 protocol must be uninstalled.
SV-87953r1_ruleWindows PowerShell 2.0 must not be installed.
SV-87955r1_ruleFTP servers must be configured to prevent anonymous logons.
SV-87957r1_ruleFTP servers must be configured to prevent access to the system drive.
SV-87959r1_ruleThe time service must synchronize with an appropriate DoD time source.
SV-87961r3_ruleWindows 2016 account lockout duration must be configured to 15 minutes or greater.
SV-87963r2_ruleWindows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
SV-87965r2_ruleWindows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
SV-87967r2_ruleWindows Server 2016 password history must be configured to 24 passwords remembered.
SV-87969r2_ruleWindows Server 2016 maximum password age must be configured to 60 days or less.
SV-87971r2_ruleWindows Server 2016 minimum password age must be configured to at least one day.
SV-87973r2_ruleWindows Server 2016 minimum password length must be configured to 14 characters.
SV-87975r2_ruleWindows Server 2016 must have the built-in Windows password complexity policy enabled.
SV-87977r2_ruleWindows Server 2016 reversible password encryption must be disabled.
SV-88011r1_ruleKerberos user logon restrictions must be enforced.
SV-88013r1_ruleThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
SV-88015r1_ruleThe Kerberos user ticket lifetime must be limited to 10 hours or less.
SV-88017r1_ruleThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
SV-88019r1_ruleThe computer clock synchronization tolerance must be limited to 5 minutes or less.
SV-88021r1_rulePermissions on the Active Directory data files must only allow System and Administrators access.
SV-88023r1_ruleThe Active Directory SYSVOL directory must have the proper access control permissions.
SV-88025r1_ruleActive Directory Group Policy objects must have proper access control permissions.
SV-88027r2_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
SV-88029r1_ruleDomain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
SV-88031r1_ruleData files owned by users must be on a different logical partition from the directory server data files.
SV-88033r1_ruleDomain controllers must run on a machine dedicated to that function.
SV-88035r1_ruleSeparate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
SV-88037r1_ruleDirectory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
SV-88039r1_ruleThe directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
SV-88041r2_ruleActive Directory Group Policy objects must be configured with proper audit settings.
SV-88043r1_ruleThe Active Directory Domain object must be configured with proper audit settings.
SV-88045r1_ruleThe Active Directory Infrastructure object must be configured with proper audit settings.
SV-88047r1_ruleThe Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
SV-88049r1_ruleThe Active Directory AdminSDHolder object must be configured with proper audit settings.
SV-88051r1_ruleThe Active Directory RID Manager$ object must be configured with proper audit settings.
SV-88053r1_ruleAudit records must be backed up to a different system or media than the system being audited.
SV-88055r1_ruleWindows Server 2016 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
SV-88057r1_rulePermissions for the Application event log must prevent access by non-privileged accounts.
SV-88059r1_rulePermissions for the Security event log must prevent access by non-privileged accounts.
SV-88061r1_rulePermissions for the System event log must prevent access by non-privileged accounts.
SV-88063r1_ruleEvent Viewer must be protected from unauthorized modification and deletion.
SV-88065r1_ruleWindows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
SV-88067r1_ruleWindows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
SV-88069r1_ruleWindows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
SV-88071r1_ruleWindows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
SV-88075r1_ruleWindows Server 2016 must be configured to audit Account Management - Security Group Management successes.
SV-88079r1_ruleWindows Server 2016 must be configured to audit Account Management - User Account Management successes.
SV-88081r1_ruleWindows Server 2016 must be configured to audit Account Management - User Account Management failures.
SV-88083r2_ruleWindows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
SV-88085r1_ruleWindows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
SV-88087r1_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
SV-88089r1_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
SV-88091r1_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
SV-88093r1_ruleWindows Server 2016 must be configured to audit DS Access - Directory Service Changes failures.
SV-88095r3_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-88097r3_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-88099r2_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.
SV-88101r1_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
SV-88103r1_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
SV-88105r1_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
SV-88107r1_ruleWindows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
SV-88109r1_ruleWindows Server 2016 must be configured to audit Object Access - Removable Storage successes.
SV-88111r1_ruleWindows Server 2016 must be configured to audit Object Access - Removable Storage failures.
SV-88113r1_ruleWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
SV-88115r1_ruleWindows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
SV-88117r1_ruleWindows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
SV-88119r1_ruleWindows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
SV-88121r1_ruleWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-88123r1_ruleWindows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-88125r1_ruleWindows Server 2016 must be configured to audit System - IPsec Driver successes.
SV-88127r1_ruleWindows Server 2016 must be configured to audit System - IPsec Driver failures.
SV-88129r3_ruleWindows Server 2016 must be configured to audit System - Other System Events successes.
SV-88131r3_ruleWindows Server 2016 must be configured to audit System - Other System Events failures.
SV-88133r1_ruleWindows Server 2016 must be configured to audit System - Security State Change successes.
SV-88135r1_ruleWindows Server 2016 must be configured to audit System - Security System Extension successes.
SV-88139r1_ruleAdministrator accounts must not be enumerated during elevation.
SV-88141r1_ruleWindows Server 2016 must be configured to audit System - System Integrity successes.
SV-88143r1_ruleWindows Server 2016 must be configured to audit System - System Integrity failures.
SV-88145r1_ruleThe display of slide shows on the lock screen must be disabled.
SV-88147r1_ruleLocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
SV-88149r2_ruleWDigest Authentication must be disabled on Windows Server 2016.
SV-88151r1_ruleInternet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
SV-88153r1_ruleSource routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
SV-88155r1_ruleWindows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
SV-88157r1_ruleWindows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-88159r1_ruleInsecure logons to an SMB server must be disabled.
SV-88161r1_ruleHardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
SV-88163r1_ruleCommand line data must be included in process creation events.
SV-88165r2_ruleWindows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
SV-88167r4_ruleWindows Server 2016 must be running Credential Guard on domain-joined member servers.
SV-88173r1_ruleEarly Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
SV-88177r1_ruleGroup Policy objects must be reprocessed even if they have not changed.
SV-88179r1_ruleDownloading print driver packages over HTTP must be prevented.
SV-88181r1_rulePrinting over HTTP must be prevented.
SV-88185r1_ruleThe network selection user interface (UI) must not be displayed on the logon screen.
SV-88187r1_ruleLocal users on domain-joined computers must not be enumerated.
SV-88197r1_ruleUsers must be prompted to authenticate when the system wakes from sleep (on battery).
SV-88201r1_ruleUsers must be prompted to authenticate when the system wakes from sleep (plugged in).
SV-88203r1_ruleUnauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
SV-88207r1_ruleThe Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-88209r1_ruleAutoPlay must be turned off for non-volume devices.
SV-88211r1_ruleThe default AutoRun behavior must be configured to prevent AutoRun commands.
SV-88213r1_ruleAutoPlay must be disabled for all drives.
SV-88215r1_ruleWindows Telemetry must be configured to Security or Basic.
SV-88217r1_ruleThe Application event log size must be configured to 32768 KB or greater.
SV-88219r1_ruleThe Security event log size must be configured to 196608 KB or greater.
SV-88221r1_ruleThe System event log size must be configured to 32768 KB or greater.
SV-88223r2_ruleWindows Server 2016 Windows SmartScreen must be enabled.
SV-88225r1_ruleExplorer Data Execution Prevention must be enabled.
SV-88227r1_ruleTurning off File Explorer heap termination on corruption must be disabled.
SV-88229r1_ruleFile Explorer shell protocol must run in protected mode.
SV-88231r1_rulePasswords must not be saved in the Remote Desktop Client.
SV-88233r1_ruleLocal drives must be prevented from sharing with Remote Desktop Session Hosts.
SV-88235r1_ruleRemote Desktop Services must always prompt a client for passwords upon connection.
SV-88237r1_ruleThe Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
SV-88239r1_ruleRemote Desktop Services must be configured with the client connection encryption set to High Level.
SV-88241r1_ruleAttachments must be prevented from being downloaded from RSS feeds.
SV-88243r1_ruleBasic authentication for RSS feeds over HTTP must not be used.
SV-88245r1_ruleIndexing of encrypted files must be turned off.
SV-88247r1_ruleUsers must be prevented from changing installation options.
SV-88249r1_ruleThe Windows Installer Always install with elevated privileges option must be disabled.
SV-88251r1_ruleUsers must be notified if a web-based program attempts to install software.
SV-88253r1_ruleAutomatically signing in the last interactive user after a system-initiated restart must be disabled.
SV-88255r1_rulePowerShell script block logging must be enabled.
SV-88257r1_ruleThe Windows Remote Management (WinRM) client must not use Basic authentication.
SV-88259r1_ruleThe Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-88261r1_ruleThe Windows Remote Management (WinRM) client must not use Digest authentication.
SV-88263r1_ruleThe Windows Remote Management (WinRM) service must not use Basic authentication.
SV-88265r1_ruleThe Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-88267r1_ruleThe Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-88269r3_ruleThe DoD Root CA certificates must be installed in the Trusted Root Store.
SV-88271r3_ruleThe DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-88273r3_ruleThe US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
SV-88275r1_ruleDomain controllers must have a PKI server certificate.
SV-88277r1_ruleDomain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-88279r2_rulePKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-88281r1_ruleActive Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
SV-88285r1_ruleLocal accounts with blank passwords must be restricted to prevent access from the network.
SV-88287r2_ruleWindows Server 2016 built-in administrator account must be renamed.
SV-88289r2_ruleWindows Server 2016 built-in guest account must be renamed.
SV-88291r1_ruleAudit policy using subcategories must be enabled.
SV-88293r1_ruleDomain controllers must require LDAP access signing.
SV-88295r1_ruleDomain controllers must be configured to allow reset of machine account passwords.
SV-88297r1_ruleThe setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
SV-88299r1_ruleThe setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
SV-88301r1_ruleThe setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
SV-88303r1_ruleThe computer account password must not be prevented from being reset.
SV-88305r1_ruleThe maximum age for machine account passwords must be configured to 30 days or less.
SV-88307r1_ruleWindows Server 2016 must be configured to require a strong session key.
SV-88309r2_ruleThe machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
SV-88311r2_ruleThe required legal notice must be configured to display before console logon.
SV-88313r1_ruleThe Windows dialog box title for the legal banner must be configured with the appropriate text.
SV-88315r1_ruleCaching of logon credentials must be limited.
SV-88317r1_ruleThe setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
SV-88319r1_ruleThe setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
SV-88321r1_ruleUnencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
SV-88325r1_ruleThe setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
SV-88327r1_ruleThe setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
SV-88329r2_ruleAnonymous SID/Name translation must not be allowed.
SV-88331r1_ruleAnonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
SV-88333r1_ruleAnonymous enumeration of shares must not be allowed.
SV-88337r1_ruleWindows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
SV-88339r1_ruleAnonymous access to Named Pipes and Shares must be restricted.
SV-88341r2_ruleRemote calls to the Security Account Manager (SAM) must be restricted to Administrators.
SV-88343r1_ruleServices using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
SV-88345r1_ruleNTLM must be prevented from falling back to a Null session.
SV-88347r1_rulePKU2U authentication using online identities must be prevented.
SV-88349r2_ruleKerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-88351r1_ruleWindows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-88355r1_ruleThe LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
SV-88357r1_ruleWindows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
SV-88359r1_ruleSession security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
SV-88361r1_ruleSession security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
SV-88363r1_ruleUsers must be required to enter a password to access private keys stored on the computer.
SV-88365r1_ruleWindows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-88369r1_ruleThe default permissions of global system objects must be strengthened.
SV-88371r1_ruleUser Account Control approval mode for the built-in Administrator must be enabled.
SV-88373r1_ruleUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
SV-88375r1_ruleUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
SV-88377r1_ruleUser Account Control must automatically deny standard user requests for elevation.
SV-88379r1_ruleUser Account Control must be configured to detect application installations and prompt for elevation.
SV-88381r1_ruleUser Account Control must only elevate UIAccess applications that are installed in secure locations.
SV-88383r1_ruleUser Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-88385r1_ruleUser Account Control must virtualize file and registry write failures to per-user locations.
SV-88391r1_ruleZone information must be preserved when saving attachments.
SV-88393r2_ruleThe Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-88395r3_ruleThe Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
SV-88397r3_ruleThe Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
SV-88399r2_ruleThe Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-88401r2_ruleThe Add workstations to domain user right must only be assigned to the Administrators group.
SV-88403r2_ruleThe Allow log on locally user right must only be assigned to the Administrators group.
SV-88405r2_ruleThe Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
SV-88407r2_ruleThe Back up files and directories user right must only be assigned to the Administrators group.
SV-88409r2_ruleThe Create a pagefile user right must only be assigned to the Administrators group.
SV-88411r2_ruleThe Create a token object user right must not be assigned to any groups or accounts.
SV-88413r2_ruleThe Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-88415r2_ruleThe Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-88417r2_ruleThe Create symbolic links user right must only be assigned to the Administrators group.
SV-88419r2_ruleThe Debug programs user right must only be assigned to the Administrators group.
SV-88421r2_ruleThe Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
SV-88423r3_ruleThe Deny access to this computer from the network user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems, and from unauthenticated access on all systems.
SV-88425r2_ruleThe Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
SV-88427r2_ruleThe Deny log on as a batch job user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
SV-88429r2_ruleThe Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
SV-88431r2_ruleThe Deny log on as a service user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
SV-88433r2_ruleThe Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
SV-88435r3_ruleThe Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
SV-88437r2_ruleThe Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
SV-88439r3_ruleThe Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
SV-88441r2_ruleThe Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
SV-88443r2_ruleThe Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on member servers.
SV-88445r2_ruleThe Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-88447r2_ruleThe Generate security audits user right must only be assigned to Local Service and Network Service.
SV-88449r2_ruleThe Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-88451r2_ruleThe Increase scheduling priority user right must only be assigned to the Administrators group.
SV-88453r2_ruleThe Load and unload device drivers user right must only be assigned to the Administrators group.
SV-88455r2_ruleThe Lock pages in memory user right must not be assigned to any groups or accounts.
SV-88457r2_ruleThe Manage auditing and security log user right must only be assigned to the Administrators group.
SV-88459r2_ruleThe Modify firmware environment values user right must only be assigned to the Administrators group.
SV-88461r2_ruleThe Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-88463r2_ruleThe Profile single process user right must only be assigned to the Administrators group.
SV-88465r2_ruleThe Restore files and directories user right must only be assigned to the Administrators group.
SV-88467r2_ruleThe Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-88473r1_ruleThe Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-88475r2_ruleWindows Server 2016 built-in guest account must be disabled.
SV-92829r1_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
SV-92831r1_ruleThe Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
SV-92833r2_ruleOrphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
SV-101005r2_ruleSecure Boot must be enabled on Windows Server 2016 systems.
SV-101007r2_ruleWindows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
SV-101009r1_ruleWindows 2016 must be configured to audit Object Access - Other Object Access Events successes.
SV-101011r1_ruleWindows 2016 must be configured to audit Object Access - Other Object Access Events failures.
SV-101881r2_ruleThe password for the krbtgt account on a domain must be reset at least every 180 days.