STIGQter STIGQter: STIG Summary: Windows Server 2019 Security Technical Implementation Guide

Version: 1

Release: 3 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-103049r1_ruleWindows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
SV-103051r1_ruleWindows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
SV-103053r1_ruleWindows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
SV-103055r1_ruleWindows Server 2019 must be configured to audit logon successes.
SV-103057r1_ruleWindows Server 2019 must be configured to audit logon failures.
SV-103059r1_ruleWindows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
SV-103061r1_ruleWindows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
SV-103063r1_ruleWindows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.
SV-103065r1_ruleWindows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-103067r1_ruleWindows Server 2019 must be configured to audit Account Management - Security Group Management successes.
SV-103069r1_ruleWindows Server 2019 must be configured to audit Account Management - User Account Management successes.
SV-103071r1_ruleWindows Server 2019 must be configured to audit Account Management - User Account Management failures.
SV-103073r1_ruleWindows Server 2019 must be configured to audit Account Management - Computer Account Management successes.
SV-103075r1_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-103077r1_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-103079r1_ruleWindows Server 2019 local volumes must use a format that supports NTFS attributes.
SV-103081r1_ruleWindows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.
SV-103083r1_ruleWindows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
SV-103085r1_ruleWindows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
SV-103087r1_ruleWindows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
SV-103089r1_ruleWindows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
SV-103091r1_ruleWindows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
SV-103093r1_ruleWindows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
SV-103095r1_ruleWindows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems.
SV-103097r1_ruleWindows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
SV-103099r1_ruleWindows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
SV-103101r1_ruleWindows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
SV-103103r1_ruleWindows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
SV-103105r1_ruleWindows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
SV-103107r1_ruleWindows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
SV-103109r1_ruleWindows Server 2019 permissions for program file directories must conform to minimum requirements.
SV-103111r1_ruleWindows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
SV-103113r1_ruleWindows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
SV-103115r1_ruleWindows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
SV-103117r1_ruleWindows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
SV-103119r1_ruleWindows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
SV-103121r1_ruleWindows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
SV-103123r1_ruleWindows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
SV-103125r1_ruleWindows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
SV-103127r1_ruleWindows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
SV-103129r1_ruleWindows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
SV-103131r1_ruleWindows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system.
SV-103133r1_ruleWindows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems.
SV-103135r1_ruleWindows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems.
SV-103137r1_ruleWindows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-103139r1_ruleWindows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-103141r1_ruleWindows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
SV-103143r1_ruleWindows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
SV-103145r1_ruleWindows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
SV-103147r1_ruleWindows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-103149r1_ruleWindows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-103151r1_ruleWindows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
SV-103153r1_ruleWindows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
SV-103155r1_ruleWindows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-103157r1_ruleWindows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
SV-103159r1_ruleWindows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-103161r1_ruleWindows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
SV-103163r1_ruleWindows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
SV-103165r1_ruleWindows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
SV-103167r1_ruleWindows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
SV-103169r1_ruleWindows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-103171r1_ruleWindows Server 2019 Profile single process user right must only be assigned to the Administrators group.
SV-103173r1_ruleWindows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
SV-103175r1_ruleWindows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-103177r1_ruleWindows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
SV-103179r1_ruleWindows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
SV-103181r1_ruleWindows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
SV-103183r1_ruleWindows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
SV-103185r1_ruleWindows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
SV-103187r1_ruleWindows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
SV-103189r1_ruleWindows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-103191r1_ruleWindows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-103193r1_ruleWindows Server 2019 must be configured to audit System - IPsec Driver successes.
SV-103195r1_ruleWindows Server 2019 must be configured to audit System - IPsec Driver failures.
SV-103197r1_ruleWindows Server 2019 must be configured to audit System - Other System Events successes.
SV-103199r1_ruleWindows Server 2019 must be configured to audit System - Other System Events failures.
SV-103201r1_ruleWindows Server 2019 must be configured to audit System - Security State Change successes.
SV-103203r1_ruleWindows Server 2019 must be configured to audit System - Security System Extension successes.
SV-103205r1_ruleWindows Server 2019 must be configured to audit System - System Integrity successes.
SV-103207r1_ruleWindows Server 2019 must be configured to audit System - System Integrity failures.
SV-103209r1_ruleWindows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings.
SV-103211r1_ruleWindows Server 2019 Active Directory Domain object must be configured with proper audit settings.
SV-103213r1_ruleWindows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings.
SV-103215r1_ruleWindows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
SV-103217r1_ruleWindows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings.
SV-103219r1_ruleWindows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings.
SV-103221r1_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
SV-103223r1_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
SV-103225r1_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
SV-103227r1_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Changes failures.
SV-103229r1_ruleWindows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
SV-103231r1_ruleWindows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
SV-103233r1_ruleWindows Server 2019 account lockout duration must be configured to 15 minutes or greater.
SV-103235r1_ruleWindows Server 2019 required legal notice must be configured to display before console logon.
SV-103237r1_ruleWindows Server 2019 title for legal banner dialog box must be configured with the appropriate text.
SV-103239r1_ruleWindows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
SV-103241r1_ruleWindows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
SV-103243r1_ruleWindows Server 2019 must be configured to audit Account Logon - Credential Validation failures.
SV-103245r1_ruleWindows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes.
SV-103247r1_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes.
SV-103249r1_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.
SV-103251r1_ruleWindows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
SV-103253r1_ruleWindows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.
SV-103255r1_ruleWindows Server 2019 must be configured to audit Object Access - Removable Storage successes.
SV-103257r1_ruleWindows Server 2019 must be configured to audit Object Access - Removable Storage failures.
SV-103259r1_ruleWindows Server 2019 must be configured to audit logoff successes.
SV-103261r1_ruleWindows Server 2019 command line data must be included in process creation events.
SV-103263r1_ruleWindows Server 2019 PowerShell script block logging must be enabled.
SV-103265r1_ruleWindows Server 2019 Application event log size must be configured to 32768 KB or greater.
SV-103267r1_ruleWindows Server 2019 Security event log size must be configured to 196608 KB or greater.
SV-103269r1_ruleWindows Server 2019 System event log size must be configured to 32768 KB or greater.
SV-103271r1_ruleWindows Server 2019 audit records must be backed up to a different system or media than the system being audited.
SV-103273r1_ruleWindows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
SV-103275r1_ruleThe Windows Server 2019 time service must synchronize with an appropriate DoD time source.
SV-103277r1_ruleWindows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
SV-103279r1_ruleWindows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
SV-103281r1_ruleWindows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
SV-103283r1_ruleWindows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
SV-103285r1_ruleWindows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
SV-103287r1_ruleWindows Server 2019 must prevent users from changing installation options.
SV-103289r1_ruleWindows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
SV-103291r1_ruleWindows Server 2019 system files must be monitored for unauthorized changes.
SV-103293r1_ruleWindows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-103295r1_ruleWindows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-103297r1_ruleWindows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
SV-103299r3_ruleThe password for the krbtgt account on a domain must be reset at least every 180 days.
SV-103301r1_ruleWindows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
SV-103303r1_ruleWindows Server 2019 must be maintained at a supported servicing level.
SV-103305r1_ruleWindows Server 2019 must use an anti-virus program.
SV-103307r1_ruleWindows Server 2019 must have a host-based intrusion detection or prevention system.
SV-103309r2_ruleWindows Server 2019 must have software certificate installation files removed.
SV-103311r1_ruleWindows Server 2019 FTP servers must be configured to prevent anonymous logons.
SV-103313r1_ruleWindows Server 2019 FTP servers must be configured to prevent access to the system drive.
SV-103315r1_ruleWindows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
SV-103317r1_ruleWindows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
SV-103319r1_ruleWindows Server 2019 must have Secure Boot enabled.
SV-103321r1_ruleWindows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
SV-103323r1_ruleWindows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
SV-103325r1_ruleWindows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
SV-103327r1_ruleWindows Server 2019 insecure logons to an SMB server must be disabled.
SV-103329r1_ruleWindows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
SV-103331r1_ruleWindows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
SV-103333r1_ruleWindows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
SV-103337r1_ruleWindows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
SV-103339r1_ruleWindows Server 2019 group policy objects must be reprocessed even if they have not changed.
SV-103341r1_ruleWindows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
SV-103343r1_ruleWindows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
SV-103345r1_ruleWindows Server 2019 Telemetry must be configured to Security or Basic.
SV-103347r1_ruleWindows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
SV-103349r1_ruleWindows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
SV-103351r1_ruleWindows Server 2019 File Explorer shell protocol must run in protected mode.
SV-103353r1_ruleWindows Server 2019 must prevent attachments from being downloaded from RSS feeds.
SV-103355r1_ruleWindows Server 2019 users must be notified if a web-based program attempts to install software.
SV-103357r1_ruleWindows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
SV-103359r1_ruleWindows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
SV-103361r1_ruleWindows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
SV-103363r1_ruleWindows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
SV-103365r1_ruleWindows Server 2019 must be running Credential Guard on domain-joined member servers.
SV-103367r1_ruleWindows Server 2019 must prevent local accounts with blank passwords from being used from the network.
SV-103369r1_ruleWindows Server 2019 built-in administrator account must be renamed.
SV-103371r1_ruleWindows Server 2019 built-in guest account must be renamed.
SV-103373r1_ruleWindows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
SV-103375r1_ruleWindows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-103377r1_ruleWindows Server 2019 must not allow anonymous SID/Name translation.
SV-103379r1_ruleWindows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
SV-103381r1_ruleWindows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
SV-103383r1_ruleWindows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
SV-103385r1_ruleWindows Server 2019 must prevent NTLM from falling back to a Null session.
SV-103387r1_ruleWindows Server 2019 must prevent PKU2U authentication using online identities.
SV-103389r1_ruleWindows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
SV-103391r1_ruleWindows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
SV-103393r1_ruleWindows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
SV-103395r1_ruleWindows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
SV-103397r1_ruleWindows Server 2019 default permissions of global system objects must be strengthened.
SV-103399r1_ruleWindows Server 2019 must preserve zone information when saving attachments.
SV-103401r1_ruleWindows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.
SV-103403r1_ruleWindows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.
SV-103405r1_ruleWindows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.
SV-103407r1_ruleWindows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.
SV-103409r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.
SV-103411r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.
SV-103413r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.
SV-103415r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.
SV-103417r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.
SV-103419r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.
SV-103421r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.
SV-103423r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.
SV-103425r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.
SV-103427r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.
SV-103429r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for lync.exe.
SV-103431r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.
SV-103433r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.
SV-103435r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.
SV-103437r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.
SV-103439r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.
SV-103441r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.
SV-103443r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.
SV-103445r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.
SV-103447r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.
SV-103449r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.
SV-103451r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.
SV-103453r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.
SV-103455r1_ruleWindows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.
SV-103457r1_ruleWindows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
SV-103459r1_ruleWindows Server 2019 Autoplay must be turned off for non-volume devices.
SV-103461r1_ruleWindows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
SV-103463r1_ruleWindows Server 2019 AutoPlay must be disabled for all drives.
SV-103465r1_ruleWindows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-103467r1_ruleWindows Server 2019 must have the roles and features required by the system documented.
SV-103469r1_ruleWindows Server 2019 must not have the Fax Server role installed.
SV-103471r1_ruleWindows Server 2019 must not have the Peer Name Resolution Protocol installed.
SV-103473r1_ruleWindows Server 2019 must not have Simple TCP/IP Services installed.
SV-103475r1_ruleWindows Server 2019 must not have the TFTP Client installed.
SV-103477r1_ruleWindows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.
SV-103479r1_ruleWindows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
SV-103481r1_ruleWindows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
SV-103483r1_ruleWindows Server 2019 must not have Windows PowerShell 2.0 installed.
SV-103485r1_ruleWindows Server 2019 must prevent the display of slide shows on the lock screen.
SV-103487r1_ruleWindows Server 2019 must have WDigest Authentication disabled.
SV-103489r1_ruleWindows Server 2019 downloading print driver packages over HTTP must be turned off.
SV-103491r1_ruleWindows Server 2019 printing over HTTP must be turned off.
SV-103493r1_ruleWindows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
SV-103495r1_ruleWindows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-103497r2_ruleWindows Server 2019 Windows Defender SmartScreen must be enabled.
SV-103499r1_ruleWindows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
SV-103501r1_ruleWindows Server 2019 must prevent Indexing of encrypted files.
SV-103503r1_ruleWindows Server 2019 domain controllers must run on a machine dedicated to that function.
SV-103505r1_ruleWindows Server 2019 local users on domain-joined member servers must not be enumerated.
SV-103507r1_ruleWindows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
SV-103509r1_ruleWindows Server 2019 must not have the Telnet Client installed.
SV-103511r1_ruleWindows Server 2019 must not save passwords in the Remote Desktop Client.
SV-103513r1_ruleWindows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
SV-103515r1_ruleWindows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-103517r1_ruleWindows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
SV-103519r1_ruleWindows Server 2019 User Account Control must automatically deny standard user requests for elevation.
SV-103521r1_ruleWindows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-103523r1_ruleWindows Server 2019 shared user accounts must not be permitted.
SV-103525r2_ruleWindows Server 2019 accounts must require passwords.
SV-103527r1_ruleWindows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
SV-103529r1_ruleWindows Server 2019 Kerberos user logon restrictions must be enforced.
SV-103531r1_ruleWindows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
SV-103533r1_ruleWindows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
SV-103535r1_ruleWindows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
SV-103537r1_ruleWindows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
SV-103539r1_ruleWindows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.
SV-103541r1_ruleWindows Server 2019 computer account password must not be prevented from being reset.
SV-103543r1_ruleWindows Server 2019 outdated or unused accounts must be removed or disabled.
SV-103545r1_ruleWindows Server 2019 must have the built-in Windows password complexity policy enabled.
SV-103547r1_ruleWindows Server 2019 manually managed application account passwords must be at least 15 characters in length.
SV-103549r1_ruleWindows Server 2019 minimum password length must be configured to 14 characters.
SV-103551r1_ruleWindows Server 2019 reversible password encryption must be disabled.
SV-103553r1_ruleWindows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-103555r1_ruleWindows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
SV-103557r1_ruleWindows Server 2019 minimum password age must be configured to at least one day.
SV-103559r1_ruleWindows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
SV-103561r1_ruleWindows Server 2019 passwords must be configured to expire.
SV-103563r1_ruleWindows Server 2019 maximum password age must be configured to 60 days or less.
SV-103565r1_ruleWindows Server 2019 password history must be configured to 24 passwords remembered.
SV-103567r1_ruleWindows Server 2019 domain controllers must have a PKI server certificate.
SV-103569r1_ruleWindows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-103571r1_ruleWindows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
SV-103573r1_ruleWindows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
SV-103575r1_ruleWindows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
SV-103577r1_ruleWindows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
SV-103579r1_ruleWindows Server 2019 users must be required to enter a password to access private keys stored on the computer.
SV-103581r1_ruleWindows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-103583r1_ruleWindows Server 2019 must have the built-in guest account disabled.
SV-103585r1_ruleWindows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-103587r1_ruleWindows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-103589r1_ruleWindows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
SV-103591r1_ruleWindows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
SV-103593r1_ruleWindows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
SV-103595r1_ruleWindows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
SV-103597r1_ruleWindows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-103599r1_ruleWindows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
SV-103601r1_ruleWindows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
SV-103603r1_ruleWindows Server 2019 administrator accounts must not be enumerated during elevation.
SV-103605r1_ruleWindows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
SV-103607r1_ruleWindows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
SV-103609r1_ruleWindows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
SV-103611r1_ruleWindows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
SV-103613r1_ruleWindows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
SV-103615r1_ruleWindows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
SV-103617r1_ruleWindows Server 2019 non-system-created file shares must limit access to groups that require it.
SV-103619r1_ruleWindows Server 2019 Remote Desktop Services must prevent drive redirection.
SV-103621r1_ruleWindows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.
SV-103623r1_ruleWindows Server 2019 must not allow anonymous enumeration of shares.
SV-103625r1_ruleWindows Server 2019 must restrict anonymous access to Named Pipes and Shares.
SV-103627r1_ruleWindows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-103629r1_ruleWindows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
SV-103631r1_ruleWindows Server 2019 domain controllers must require LDAP access signing.
SV-103633r1_ruleWindows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
SV-103635r1_ruleWindows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
SV-103637r1_ruleWindows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
SV-103639r1_ruleWindows Server 2019 must be configured to require a strong session key.
SV-103641r1_ruleWindows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
SV-103643r1_ruleWindows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
SV-103645r1_ruleWindows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
SV-103647r1_ruleWindows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
SV-103649r1_ruleWindows Server 2019 Explorer Data Execution Prevention must be enabled.
SV-103651r1_ruleWindows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.
SV-103653r1_ruleWindows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-103657r1_ruleWindows Server 2019 must have a host-based firewall installed and enabled.