STIGQter STIGQter: STIG Summary:

Microsoft Windows Server 2019 Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 04 May 2021

CheckedNameTitle
SV-205624r569188_ruleWindows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.
SV-205625r569188_ruleWindows Server 2019 must be configured to audit Account Management - Security Group Management successes.
SV-205626r569188_ruleWindows Server 2019 must be configured to audit Account Management - User Account Management successes.
SV-205627r569188_ruleWindows Server 2019 must be configured to audit Account Management - User Account Management failures.
SV-205628r569188_ruleWindows Server 2019 must be configured to audit Account Management - Computer Account Management successes.
SV-205629r569188_ruleWindows Server 2019 must have the number of allowed bad logon attempts configured to three or less.
SV-205630r569188_ruleWindows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
SV-205631r569188_ruleWindows Server 2019 required legal notice must be configured to display before console logon.
SV-205632r569188_ruleWindows Server 2019 title for legal banner dialog box must be configured with the appropriate text.
SV-205633r569188_ruleWindows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
SV-205634r569188_ruleWindows Server 2019 must be configured to audit logon successes.
SV-205635r569188_ruleWindows Server 2019 must be configured to audit logon failures.
SV-205636r569188_ruleWindows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
SV-205637r569188_ruleWindows Server 2019 Remote Desktop Services must be configured with the client connection encryption set to High Level.
SV-205638r569188_ruleWindows Server 2019 command line data must be included in process creation events.
SV-205639r569188_ruleWindows Server 2019 PowerShell script block logging must be enabled.
SV-205640r569188_ruleWindows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts.
SV-205641r569188_ruleWindows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts.
SV-205642r569188_ruleWindows Server 2019 permissions for the System event log must prevent access by non-privileged accounts.
SV-205643r569188_ruleWindows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group.
SV-205644r569188_ruleWindows Server 2019 must force audit policy subcategory settings to override audit policy category settings.
SV-205645r569188_ruleWindows Server 2019 domain controllers must have a PKI server certificate.
SV-205646r569188_ruleWindows Server 2019 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
SV-205647r569188_ruleWindows Server 2019 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA).
SV-205648r569280_ruleWindows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
SV-205649r573795_ruleWindows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
SV-205650r573797_ruleWindows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
SV-205651r569188_ruleWindows Server 2019 users must be required to enter a password to access private keys stored on the computer.
SV-205652r569188_ruleWindows Server 2019 must have the built-in Windows password complexity policy enabled.
SV-205653r569188_ruleWindows Server 2019 reversible password encryption must be disabled.
SV-205654r569188_ruleWindows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
SV-205655r569188_ruleWindows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
SV-205656r569188_ruleWindows Server 2019 minimum password age must be configured to at least one day.
SV-205657r569188_ruleWindows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.
SV-205658r569188_ruleWindows Server 2019 passwords must be configured to expire.
SV-205659r569188_ruleWindows Server 2019 maximum password age must be configured to 60 days or less.
SV-205660r569188_ruleWindows Server 2019 password history must be configured to 24 passwords remembered.
SV-205661r569188_ruleWindows Server 2019 manually managed application account passwords must be at least 15 characters in length.
SV-205662r569188_ruleWindows Server 2019 minimum password length must be configured to 14 characters.
SV-205663r569188_ruleWindows Server 2019 local volumes must use a format that supports NTFS attributes.
SV-205664r569188_ruleWindows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.
SV-205665r569188_ruleWindows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
SV-205666r569188_ruleWindows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.
SV-205667r569188_ruleWindows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
SV-205668r569188_ruleWindows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
SV-205669r569188_ruleWindows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
SV-205670r569188_ruleWindows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
SV-205671r569188_ruleWindows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems.
SV-205672r569188_ruleWindows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
SV-205673r569188_ruleWindows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
SV-205674r569188_ruleWindows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
SV-205675r569188_ruleWindows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
SV-205676r569188_ruleWindows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.
SV-205677r569188_ruleWindows Server 2019 must have the roles and features required by the system documented.
SV-205678r569188_ruleWindows Server 2019 must not have the Fax Server role installed.
SV-205679r569188_ruleWindows Server 2019 must not have the Peer Name Resolution Protocol installed.
SV-205680r569188_ruleWindows Server 2019 must not have Simple TCP/IP Services installed.
SV-205681r569188_ruleWindows Server 2019 must not have the TFTP Client installed.
SV-205682r569188_ruleWindows Server 2019 must not the Server Message Block (SMB) v1 protocol installed.
SV-205683r569188_ruleWindows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
SV-205684r569188_ruleWindows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
SV-205685r569188_ruleWindows Server 2019 must not have Windows PowerShell 2.0 installed.
SV-205686r569188_ruleWindows Server 2019 must prevent the display of slide shows on the lock screen.
SV-205687r569188_ruleWindows Server 2019 must have WDigest Authentication disabled.
SV-205688r569188_ruleWindows Server 2019 downloading print driver packages over HTTP must be turned off.
SV-205689r569188_ruleWindows Server 2019 printing over HTTP must be turned off.
SV-205690r569188_ruleWindows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.
SV-205691r569188_ruleWindows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
SV-205692r569188_ruleWindows Server 2019 Windows Defender SmartScreen must be enabled.
SV-205693r569188_ruleWindows Server 2019 must disable Basic authentication for RSS feeds over HTTP.
SV-205694r569188_ruleWindows Server 2019 must prevent Indexing of encrypted files.
SV-205695r569188_ruleWindows Server 2019 domain controllers must run on a machine dedicated to that function.
SV-205696r569188_ruleWindows Server 2019 local users on domain-joined member servers must not be enumerated.
SV-205697r569188_ruleWindows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.
SV-205698r569188_ruleWindows Server 2019 must not have the Telnet Client installed.
SV-205699r569188_ruleWindows Server 2019 shared user accounts must not be permitted.
SV-205700r569188_ruleWindows Server 2019 accounts must require passwords.
SV-205701r569188_ruleWindows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
SV-205702r569188_ruleWindows Server 2019 Kerberos user logon restrictions must be enforced.
SV-205703r569188_ruleWindows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
SV-205704r569188_ruleWindows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
SV-205705r569188_ruleWindows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
SV-205706r569188_ruleWindows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
SV-205707r569188_ruleWindows Server 2019 outdated or unused accounts must be removed or disabled.
SV-205708r569188_ruleWindows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
SV-205709r569188_ruleWindows Server 2019 must have the built-in guest account disabled.
SV-205710r569188_ruleWindows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
SV-205711r569188_ruleWindows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.
SV-205712r569188_ruleWindows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.
SV-205713r569188_ruleWindows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.
SV-205714r569188_ruleWindows Server 2019 administrator accounts must not be enumerated during elevation.
SV-205715r569188_ruleWindows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
SV-205716r569188_ruleWindows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
SV-205717r569188_ruleWindows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
SV-205718r569188_ruleWindows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.
SV-205719r569188_ruleWindows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
SV-205720r569188_ruleWindows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
SV-205721r569188_ruleWindows Server 2019 non-system-created file shares must limit access to groups that require it.
SV-205722r569188_ruleWindows Server 2019 Remote Desktop Services must prevent drive redirection.
SV-205723r569188_ruleWindows Server 2019 data files owned by users must be on a different logical partition from the directory server data files.
SV-205724r569188_ruleWindows Server 2019 must not allow anonymous enumeration of shares.
SV-205725r569188_ruleWindows Server 2019 must restrict anonymous access to Named Pipes and Shares.
SV-205726r569188_ruleWindows Server 2019 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
SV-205727r569188_ruleWindows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
SV-205728r569188_ruleWindows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
SV-205729r569188_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes.
SV-205730r569188_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures.
SV-205731r569188_ruleWindows Server 2019 Event Viewer must be protected from unauthorized modification and deletion.
SV-205732r569188_ruleWindows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
SV-205733r569188_ruleWindows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
SV-205734r569188_ruleWindows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
SV-205735r569188_ruleWindows Server 2019 permissions for program file directories must conform to minimum requirements.
SV-205736r569188_ruleWindows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.
SV-205737r569188_ruleWindows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
SV-205738r569188_ruleWindows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
SV-205739r569188_ruleWindows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access.
SV-205740r569188_ruleWindows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions.
SV-205741r569188_ruleWindows Server 2019 Active Directory Group Policy objects must have proper access control permissions.
SV-205742r569188_ruleWindows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
SV-205743r569188_ruleWindows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
SV-205744r569188_ruleWindows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers.
SV-205745r569188_ruleWindows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
SV-205746r569188_ruleWindows Server 2019 must only allow administrators responsible for the member server or standalone system to have Administrator rights on the system.
SV-205747r569188_ruleWindows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone systems.
SV-205748r569188_ruleWindows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems.
SV-205749r569188_ruleWindows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
SV-205750r569188_ruleWindows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts.
SV-205751r569188_ruleWindows Server 2019 Back up files and directories user right must only be assigned to the Administrators group.
SV-205752r569188_ruleWindows Server 2019 Create a pagefile user right must only be assigned to the Administrators group.
SV-205753r569188_ruleWindows Server 2019 Create a token object user right must not be assigned to any groups or accounts.
SV-205754r569188_ruleWindows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-205755r569188_ruleWindows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts.
SV-205756r569188_ruleWindows Server 2019 Create symbolic links user right must only be assigned to the Administrators group.
SV-205757r569188_ruleWindows Server 2019 Debug programs: user right must only be assigned to the Administrators group.
SV-205758r569188_ruleWindows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group.
SV-205759r569188_ruleWindows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service.
SV-205760r569188_ruleWindows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
SV-205761r569188_ruleWindows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group.
SV-205762r569188_ruleWindows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group.
SV-205763r569188_ruleWindows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts.
SV-205764r569188_ruleWindows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group.
SV-205765r569188_ruleWindows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group.
SV-205766r569188_ruleWindows Server 2019 Profile single process user right must only be assigned to the Administrators group.
SV-205767r569188_ruleWindows Server 2019 Restore files and directories user right must only be assigned to the Administrators group.
SV-205768r569188_ruleWindows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group.
SV-205769r569188_ruleWindows Server 2019 must be configured to audit Account Management - Other Account Management Events successes.
SV-205770r569188_ruleWindows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes.
SV-205771r569188_ruleWindows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes.
SV-205772r569188_ruleWindows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures.
SV-205773r569188_ruleWindows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes.
SV-205774r569188_ruleWindows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes.
SV-205775r569188_ruleWindows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
SV-205776r569188_ruleWindows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
SV-205777r569188_ruleWindows Server 2019 must be configured to audit System - IPsec Driver successes.
SV-205778r569188_ruleWindows Server 2019 must be configured to audit System - IPsec Driver failures.
SV-205779r569188_ruleWindows Server 2019 must be configured to audit System - Other System Events successes.
SV-205780r569188_ruleWindows Server 2019 must be configured to audit System - Other System Events failures.
SV-205781r569188_ruleWindows Server 2019 must be configured to audit System - Security State Change successes.
SV-205782r569188_ruleWindows Server 2019 must be configured to audit System - Security System Extension successes.
SV-205783r569188_ruleWindows Server 2019 must be configured to audit System - System Integrity successes.
SV-205784r569188_ruleWindows Server 2019 must be configured to audit System - System Integrity failures.
SV-205785r569188_ruleWindows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings.
SV-205786r569188_ruleWindows Server 2019 Active Directory Domain object must be configured with proper audit settings.
SV-205787r569188_ruleWindows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings.
SV-205788r569188_ruleWindows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
SV-205789r569188_ruleWindows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings.
SV-205790r569188_ruleWindows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings.
SV-205791r569188_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Access successes.
SV-205792r569188_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Access failures.
SV-205793r569188_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Changes successes.
SV-205794r569188_ruleWindows Server 2019 must be configured to audit DS Access - Directory Service Changes failures.
SV-205795r569188_ruleWindows Server 2019 account lockout duration must be configured to 15 minutes or greater.
SV-205796r569188_ruleWindows Server 2019 Application event log size must be configured to 32768 KB or greater.
SV-205797r569188_ruleWindows Server 2019 Security event log size must be configured to 196608 KB or greater.
SV-205798r569188_ruleWindows Server 2019 System event log size must be configured to 32768 KB or greater.
SV-205799r569188_ruleWindows Server 2019 audit records must be backed up to a different system or media than the system being audited.
SV-205800r569188_ruleThe Windows Server 2019 time service must synchronize with an appropriate DoD time source.
SV-205801r569188_ruleWindows Server 2019 must prevent users from changing installation options.
SV-205802r569188_ruleWindows Server 2019 must disable the Windows Installer Always install with elevated privileges option.
SV-205803r569241_ruleWindows Server 2019 system files must be monitored for unauthorized changes.
SV-205804r569188_ruleWindows Server 2019 Autoplay must be turned off for non-volume devices.
SV-205805r569188_ruleWindows Server 2019 default AutoRun behavior must be configured to prevent AutoRun commands.
SV-205806r569188_ruleWindows Server 2019 AutoPlay must be disabled for all drives.
SV-205807r569188_ruleWindows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
SV-205808r569188_ruleWindows Server 2019 must not save passwords in the Remote Desktop Client.
SV-205809r569188_ruleWindows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
SV-205810r569188_ruleWindows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
SV-205811r569188_ruleWindows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
SV-205812r569188_ruleWindows Server 2019 User Account Control must automatically deny standard user requests for elevation.
SV-205813r569188_ruleWindows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
SV-205814r569188_ruleWindows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone systems.
SV-205815r569188_ruleWindows Server 2019 computer account password must not be prevented from being reset.
SV-205816r569188_ruleWindows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
SV-205817r569188_ruleWindows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
SV-205818r569188_ruleWindows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
SV-205819r569188_ruleWindows Server 2019 must be configured to ignore NetBIOS name release requests except from WINS servers.
SV-205820r569188_ruleWindows Server 2019 domain controllers must require LDAP access signing.
SV-205821r569188_ruleWindows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
SV-205822r569188_ruleWindows Server 2019 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
SV-205823r569188_ruleWindows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
SV-205824r569188_ruleWindows Server 2019 must be configured to require a strong session key.
SV-205825r569188_ruleWindows Server 2019 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
SV-205826r569188_ruleWindows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
SV-205827r569188_ruleWindows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
SV-205828r569188_ruleWindows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
SV-205829r569188_ruleWindows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
SV-205830r569188_ruleWindows Server 2019 Explorer Data Execution Prevention must be enabled.
SV-205831r569188_ruleWindows Server 2019 Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on.
SV-205832r569188_ruleWindows Server 2019 must be configured to audit Account Logon - Credential Validation successes.
SV-205833r569188_ruleWindows Server 2019 must be configured to audit Account Logon - Credential Validation failures.
SV-205834r569188_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes.
SV-205835r569188_ruleWindows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes.
SV-205836r569188_ruleWindows Server 2019 must be configured to audit Object Access - Other Object Access Events successes.
SV-205837r569188_ruleWindows Server 2019 must be configured to audit Object Access - Other Object Access Events failures.
SV-205838r569188_ruleWindows Server 2019 must be configured to audit logoff successes.
SV-205839r569188_ruleWindows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes.
SV-205840r569188_ruleWindows Server 2019 must be configured to audit Object Access - Removable Storage successes.
SV-205841r569188_ruleWindows Server 2019 must be configured to audit Object Access - Removable Storage failures.
SV-205842r569188_ruleWindows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
SV-205843r569188_ruleWindows Server 2019 must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly.
SV-205844r569188_ruleWindows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
SV-205845r569188_ruleWindows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
SV-205846r569188_ruleWindows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
SV-205847r569188_ruleWindows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
SV-205848r569188_ruleWindows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
SV-205849r569188_ruleWindows Server 2019 must be maintained at a supported servicing level.
SV-205850r569245_ruleWindows Server 2019 must use an anti-virus program.
SV-205851r569188_ruleWindows Server 2019 must have a host-based intrusion detection or prevention system.
SV-205852r569188_ruleWindows Server 2019 must have software certificate installation files removed.
SV-205853r569188_ruleWindows Server 2019 FTP servers must be configured to prevent anonymous logons.
SV-205854r569188_ruleWindows Server 2019 FTP servers must be configured to prevent access to the system drive.
SV-205855r569188_ruleWindows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.
SV-205856r569188_ruleWindows Server 2019 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
SV-205857r569188_ruleWindows Server 2019 must have Secure Boot enabled.
SV-205858r569188_ruleWindows Server 2019 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
SV-205859r569188_ruleWindows Server 2019 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
SV-205860r569188_ruleWindows Server 2019 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
SV-205861r569188_ruleWindows Server 2019 insecure logons to an SMB server must be disabled.
SV-205862r569188_ruleWindows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
SV-205863r569188_ruleWindows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials.
SV-205864r569188_ruleWindows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
SV-205865r569188_ruleWindows Server 2019 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
SV-205866r569188_ruleWindows Server 2019 group policy objects must be reprocessed even if they have not changed.
SV-205867r569188_ruleWindows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery).
SV-205868r569188_ruleWindows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in).
SV-205869r569188_ruleWindows Server 2019 Telemetry must be configured to Security or Basic.
SV-205870r569188_ruleWindows Server 2019 Windows Update must not obtain updates from other PCs on the Internet.
SV-205871r569188_ruleWindows Server 2019 Turning off File Explorer heap termination on corruption must be disabled.
SV-205872r569188_ruleWindows Server 2019 File Explorer shell protocol must run in protected mode.
SV-205873r569188_ruleWindows Server 2019 must prevent attachments from being downloaded from RSS feeds.
SV-205874r569188_ruleWindows Server 2019 users must be notified if a web-based program attempts to install software.
SV-205875r569188_ruleWindows Server 2019 directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
SV-205876r569188_ruleWindows Server 2019 domain controllers must be configured to allow reset of machine account passwords.
SV-205877r569188_ruleThe password for the krbtgt account on a domain must be reset at least every 180 days.
SV-205878r569188_ruleWindows Server 2019 Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on.
SV-205879r569188_ruleWindows Server 2019 Exploit Protection system-level mitigation, Control flow guard (CFG), must be on.
SV-205880r569188_ruleWindows Server 2019 Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on.
SV-205881r569188_ruleWindows Server 2019 Exploit Protection system-level mitigation, Validate heap integrity, must be on.
SV-205882r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for Acrobat.exe.
SV-205883r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for AcroRd32.exe.
SV-205884r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for chrome.exe.
SV-205885r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for EXCEL.EXE.
SV-205886r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for firefox.exe.
SV-205887r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for FLTLDR.EXE.
SV-205888r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for GROOVE.EXE.
SV-205889r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for iexplore.exe.
SV-205890r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for INFOPATH.EXE.
SV-205891r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe.
SV-205892r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for lync.exe.
SV-205893r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for MSACCESS.EXE.
SV-205894r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for MSPUB.EXE.
SV-205895r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for OIS.EXE.
SV-205896r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for OneDrive.exe.
SV-205897r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for OUTLOOK.EXE.
SV-205898r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for plugin-container.exe.
SV-205899r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for POWERPNT.EXE.
SV-205900r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for PPTVIEW.EXE.
SV-205901r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for VISIO.EXE.
SV-205902r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for VPREVIEW.EXE.
SV-205903r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for WINWORD.EXE.
SV-205904r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for wmplayer.exe.
SV-205905r569188_ruleWindows Server 2019 Exploit Protection mitigations must be configured for wordpad.exe.
SV-205906r569188_ruleWindows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers.
SV-205907r569188_ruleWindows Server 2019 must be running Credential Guard on domain-joined member servers.
SV-205908r569188_ruleWindows Server 2019 must prevent local accounts with blank passwords from being used from the network.
SV-205909r569188_ruleWindows Server 2019 built-in administrator account must be renamed.
SV-205910r569188_ruleWindows Server 2019 built-in guest account must be renamed.
SV-205911r569188_ruleWindows Server 2019 maximum age for machine account passwords must be configured to 30 days or less.
SV-205912r569188_ruleWindows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
SV-205913r569188_ruleWindows Server 2019 must not allow anonymous SID/Name translation.
SV-205914r569188_ruleWindows Server 2019 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
SV-205915r569188_ruleWindows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
SV-205916r569188_ruleWindows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
SV-205917r569188_ruleWindows Server 2019 must prevent NTLM from falling back to a Null session.
SV-205918r569188_ruleWindows Server 2019 must prevent PKU2U authentication using online identities.
SV-205919r569188_ruleWindows Server 2019 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
SV-205920r569188_ruleWindows Server 2019 must be configured to at least negotiate signing for LDAP client signing.
SV-205921r569188_ruleWindows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
SV-205922r569188_ruleWindows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
SV-205923r569188_ruleWindows Server 2019 default permissions of global system objects must be strengthened.
SV-205924r569188_ruleWindows Server 2019 must preserve zone information when saving attachments.
SV-205925r569188_ruleWindows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart.
SV-214936r569188_ruleWindows Server 2019 must have a host-based firewall installed and enabled.
SV-236001r641821_ruleThe Windows Explorer Preview pane must be disabled for Windows Server 2019.