Windows Server 2019 Security

Technical Implementation Guide

Overview
Version Date Finding Count (304)
1 2020-06-15 CAT I (High): 33 CAT II (Med): 257 CAT III (Low): 14

STIG Description

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (
The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related docum
revisions to this document should be sent via email to the following address: [email protected].

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding
ID Severity Title Description
The ability to set access permissions and
Windows Server 2019 loca auditing is critical to maintaining the security
l volumes must use a form and proper access controls of a system. To
at that supports NTFS attri support this, volumes must be formatted using a
V-92991 High butes. file system ...
Windows Server 2019 LA
N Manager authentication l The Kerberos v5 authentication protocol is the
evel must be configured to default for authentication of users who are
send NTLMv2 response on logging on to domain accounts. NTLM, which
ly and to refuse LM and N is less secure, is retained in later Windows
V-93301 High TLM. versions for ...
Allowing anonymous access to named pipes or
Windows Server 2019 mus shares provides the potential for unauthorized
t restrict anonymous access system access. This setting restricts access to
to Named Pipes and Shares those defined in "Network access: Named Pipes
V-93539 High . that can be ...
Windows Server 2019 per
missions on the Active Dir Improper access permissions for directory data-
ectory data files must only related files could allow unauthorized users to
allow System and Adminis read, modify, or delete directory data or audit
V-93029 High trators access. trails.
Windows Server 2019 mus An account that does not have Administrator
V-93027 High t only allow administrators duties must not have Administrator rights. Such
Finding
ID Severity Title Description
responsible for the domain rights would allow the account to bypass or
controller to have Adminis modify required security restrictions on that
trator rights on the system. machine and ...
Windows Server 2019 orga
nization created Active Dir When directory service database objects do not
ectory Organizational Unit have appropriate access control permissions, it
(OU) objects must have pr may be possible for malicious users to create,
oper access control permis read, update, or delete the objects and degrade
V-93037 High sions. or ...
Windows Server 2019 PKI
certificates associated with A PKI implementation depends on the practices
user accounts must be issu established by the Certificate Authority (CA) to
ed by a DoD PKI or an app ensure the implementation is secure. Without
roved External Certificate proper practices, the certificates issued by a CA
V-93485 High Authority (ECA). have ...
Windows Server 2019 dom
ain Controller PKI certifica A PKI implementation depends on the practices
tes must be issued by the D established by the Certificate Authority (CA) to
oD PKI or an approved Ext ensure the implementation is secure. Without
ernal Certificate Authority proper practices, the certificates issued by a CA
V-93483 High (ECA). have ...
Windows Server 2019 user
s with Administrative privi Using a privileged account to perform routine
leges must have separate a functions makes the computer vulnerable to
ccounts for administrative malicious software inadvertently introduced
duties and normal operatio during a session that has been granted full
V-93369 High nal tasks. privileges.
Inappropriate granting of user rights can
Windows Server 2019 Cre provide system, administrative, and other high-
ate a token object user righ level capabilities. The "Create a token object"
t must not be assigned to a user right allows a process to create an access
V-93057 High ny groups or accounts. token. ...
Allowing anonymous logon users (null session
Windows Server 2019 mus connections) to list all account names and
t not allow anonymous enu enumerate all shared resources can provide a
V-93537 High meration of shares. map of potential points to attack the system.
Allowing AutoPlay to execute may introduce
malicious code to a system. AutoPlay begins
Windows Server 2019 Aut reading from a drive as soon as media is
oplay must be turned off fo inserted into the drive. As a result, the setup file
V-93373 High r non-volume devices. of programs or ...
Windows Server 2019 defa Allowing AutoRun commands to execute may
V-93375 High ult AutoRun behavior must introduce malicious code to a system.
Finding
ID Severity Title Description
be configured to prevent A Configuring this setting prevents AutoRun
utoRun commands. commands from executing.
Allowing AutoPlay to execute may introduce
malicious code to a system. AutoPlay begins
Windows Server 2019 Aut reading from a drive as soon media is inserted
oPlay must be disabled for into the drive. As a result, the setup file of
V-93377 High all drives. programs or ...
Windows Server 2019 mus Anonymous enumeration of SAM accounts
t not allow anonymous enu allows anonymous logon users (null session
meration of Security Acco connections) to list all accounts names, thus
unt Manager (SAM) accou providing a list of potential points to attack the
V-93291 High nts. system.
Windows Server 2019 mus An account without a password can allow
t prevent local accounts wi unauthorized access to a system as only the
th blank passwords from b username would be required. Password policies
eing used from the networ should prevent accounts with blank passwords
V-93279 High k. from existing on a ...
Windows Server 2019 dire To the extent that anonymous access to
ctory data (outside the root directory data (outside the root DSE) is
DSE) of a non-public direc permitted, read access control of the data is
tory must be configured to effectively disabled. If other means of
V-93271 High prevent anonymous access. controlling access (such as ...
Credential Guard uses virtualization-based
Windows Server 2019 mus security to protect data that could be used in
t be running Credential Gu credential theft attacks if compromised. This
ard on domain-joined mem authentication information, which was stored in
V-93277 High ber servers. the Local ...
Inappropriate granting of user rights can
Windows Server 2019 Deb provide system, administrative, and other high-
ug programs: user right mu level capabilities. Accounts with the "Debug
st only be assigned to the programs" user right can attach a debugger to
V-93065 High Administrators group. any process or ...
Systems at unsupported servicing levels will
not receive security updates for new
Windows Server 2019 mus vulnerabilities, which leave them subject to
t be maintained at a suppor exploitation. Systems must be maintained at a
V-93215 High ted servicing level. servicing level ...
Storing passwords using reversible encryption
is essentially the same as storing clear-text
Windows Server 2019 reve versions of the passwords, which are easily
rsible password encryption compromised. For this reason, this policy must
V-93465 High must be disabled. never be enabled.
Finding
ID Severity Title Description
The LAN Manager hash uses a weak
Windows Server 2019 mus encryption algorithm and there are several tools
t be configured to prevent t available that use this hash to retrieve account
he storage of the LAN Ma passwords. This setting controls whether a
V-93467 High nager hash of passwords. LAN Manager hash of ...
Windows Server 2019 Act Inappropriate granting of user rights can
as part of the operating sys provide system, administrative, and other high-
tem user right must not be level capabilities. Accounts with the "Act as
assigned to any groups or a part of the operating system" user right can
V-93051 High ccounts. assume the ...
Windows Server 2019 Win Basic authentication uses plain-text passwords
dows Remote Management that could be used to compromise a system.
(WinRM) service must not Disabling Basic authentication will reduce this
V-93507 High use Basic authentication. potential.
Windows Server 2019 Win Basic authentication uses plain-text passwords
dows Remote Management that could be used to compromise a system.
(WinRM) client must not u Disabling Basic authentication will reduce this
V-93503 High se Basic authentication. potential.
Windows Server 2019 mus
t only allow administrators An account that does not have Administrator
responsible for the member duties must not have Administrator rights. Such
server or standalone syste rights would allow the account to bypass or
m to have Administrator ri modify required security restrictions on that
V-93043 High ghts on the system. machine and ...
Standard user accounts must not be granted
Windows Server 2019 mus elevated privileges. Enabling Windows Installer
t disable the Windows Inst to elevate privileges when installing
aller Always install with el applications can allow malicious persons and
V-93201 High evated privileges option. applications to gain ...
Windows Server 2019 adm
inistrative accounts must n
ot be used with application Using applications that access the Internet or
s that access the Internet, s have potential Internet sources using
uch as web browsers, or wi administrative privileges exposes a system to
th potential Internet source compromise. If a flaw in an application is
V-93205 High s, such as email. exploited while ...
Allowing anonymous SID/Name translation
Windows Server 2019 mus can provide sensitive information for accessing
t not allow anonymous SI a system. Only authorized users must be able to
V-93289 High D/Name translation. perform such translations.
Windows Server 2019 Acti When directory service database objects do not
ve Directory Group Policy have appropriate access control permissions, it
V-93033 High objects must have proper a may be possible for malicious users to create,
Finding
ID Severity Title Description
ccess control permissions. read, update, or delete the objects and degrade
or ...
Improper access permissions for directory data
Windows Server 2019 Acti files could allow unauthorized users to read,
ve Directory SYSVOL dire modify, or delete directory data. The SYSVOL
ctory must have the proper directory contains public files (to the domain)
V-93031 High access control permissions. such as ...
Windows Server 2019 Acti
ve Directory Domain Cont When Active Directory objects do not have
rollers Organizational Unit appropriate access control permissions, it may
(OU) object must have the be possible for malicious users to create, read,
proper access control perm update, or delete the objects and degrade or
V-93035 High issions. destroy the ...
Malicious software can establish a base on
individual desktops and servers. Employing an
Windows Server 2019 mus automated mechanism to detect this type of
t use an anti-virus program software will aid in elimination of the software
V-93217 High . from the ...
This setting determines the maximum time
Windows Server 2019 com difference (in minutes) that Kerberos will
puter clock synchronizatio tolerate between the time on a client's clock and
n tolerance must be limited the time on a server's clock while still
V-93451 Medium to five minutes or less. considering the two ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for GR these additional application protections,
V-93333 Medium OOVE.EXE. Windows may ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - System Integrity fail compromises that have occurred, as well as
V-93119 Medium ures. detect attacks. ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for Acr these additional application protections,
V-93321 Medium obat.exe. Windows may ...
Installation options for applications are
typically controlled by administrators. This
Windows Server 2019 mus setting prevents users from changing
t prevent users from changi installation options that may bypass security
V-93199 Medium ng installation options. features.
Finding
ID Severity Title Description
The FTP service allows remote users to access
Windows Server 2019 FTP shared files and directories. Allowing
servers must be configured anonymous FTP connections makes user
to prevent anonymous logo auditing difficult. Using accounts that have
V-93223 Medium ns. administrator privileges to ...
Use of software certificates and their
Windows Server 2019 mus accompanying installation files for end users to
t have software certificate i access resources is less secure than the use of
V-93221 Medium nstallation files removed. hardware-based certificates.
Accounts or groups given rights on a system
Windows Server 2019 mus may show up as unresolved SIDs for various
t have orphaned security id reasons including deletion of the accounts or
entifiers (SIDs) removed fr groups. If the account or group objects are
V-93227 Medium om user rights. reanimated, there ...
The FTP service allows remote users to access
Windows Server 2019 FTP shared files and directories that could provide
servers must be configured access to system resources and compromise the
to prevent access to the sys system, especially if the user can gain access to
V-93225 Medium tem drive. the ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Lo troubleshoot service disruptions, and analyze
gon/Logoff - Special Logo compromises that have occurred, as well as
V-93161 Medium n successes. detect attacks. ...
Windows Server 2019 data When directory service data files, especially for
files owned by users must directories used for identification,
be on a different logical pa authentication, or authorization, reside on the
rtition from the directory s same logical partition as user-owned files, the
V-93535 Medium erver data files. directory ...
Windows Server 2019 Re Preventing users from sharing the local drives
mote Desktop Services mu on their client computers with Remote Session
st prevent drive redirection Hosts that they access helps reduce possible
V-93533 Medium . exposure of sensitive data.
Shares on a system provide network access. To
Windows Server 2019 non prevent exposing sensitive information, where
-system-created file shares shares are necessary, permissions must be
must limit access to groups reconfigured to give the minimum access to
V-93531 Medium that require it. accounts that ...
This setting controls the signing requirements
Windows Server 2019 mus for LDAP clients. This must be set to
t be configured to at least n "Negotiate signing" or "Require signing",
egotiate signing for LDAP depending on the environment and type of
V-93303 Medium client signing. LDAP server in use.
Finding
ID Severity Title Description
Windows Server 2019 sess
ion security for NTLM SS Microsoft has implemented a variety of security
P-based clients must be co support providers for use with Remote
nfigured to require NTLM Procedure Call (RPC) sessions. All of the
v2 session security and 12 options must be enabled to ensure the
V-93305 Medium 8-bit encryption. maximum security level.
Windows Server 2019 sess
ion security for NTLM SS Microsoft has implemented a variety of security
P-based servers must be co support providers for use with Remote
nfigured to require NTLM Procedure Call (RPC) sessions. All of the
v2 session security and 12 options must be enabled to ensure the
V-93307 Medium 8-bit encryption. maximum security level.
Failure to display the logon banner prior to a
Windows Server 2019 requ logon attempt will negate legal proceedings
ired legal notice must be c resulting from unauthorized access to system
onfigured to display before resources. Satisfies: SRG-OS-000023-GPOS-
V-93147 Medium console logon. 00006, ...
The account lockout feature, when enabled,
Windows Server 2019 acc prevents brute-force password attacks on the
ount lockout duration must system. This parameter specifies the period of
be configured to 15 minute time that an account will remain locked after
V-93145 Medium s or greater. the specified ...
Windows Server 2019 Acti When inappropriate audit settings are
ve Directory RID Manager configured for directory service database
$ object must be configure objects, it may be possible for a user or process
d with proper audit settings to update the data without generating any
V-93131 Medium . tracking data. The ...
Windows Server 2019 mus The account lockout feature, when enabled,
t have the period of time b prevents brute-force password attacks on the
efore the bad logon counte system. This parameter specifies the period of
r is reset configured to 15 time that must pass after failed logon attempts
V-93143 Medium minutes or greater. before the ...
The account lockout feature, when enabled,
Windows Server 2019 mus prevents brute-force password attacks on the
t have the number of allow system. The higher this value is, the less
ed bad logon attempts conf effective the account lockout feature will be in
V-93141 Medium igured to three or less. protecting the ...
Unnecessary services increase the attack
surface of a system. Some of these services
Windows Server 2019 mus may not support required levels of
t not have the TFTP Client authentication or encryption or may provide
V-93389 Medium installed. unauthorized access to the system.
V-93021 Medium Windows Server 2019 per Changing the system's file and directory
Finding
ID Severity Title
missions for program file d permissions allows the possibility of
irectories must conform to unauthorized and anonymous modification to
minimum requirements. the operating system and installed applications.
The default permissions ...
Windows Server 2019 Use
r Account Control must ru
n all administrators in Ad
min Approval Mode, enabl
V-93435 Medium ing UAC.
Windows Server 2019 per
missions for the Windows
installation directory must
conform to minimum requi
V-93023 Medium rements.
Windows Server 2019 Use
r Account Control must aut
omatically deny standard u
V-93433 Medium ser requests for elevation.
Windows Server 2019 defa
ult permissions for the HK
EY_LOCAL_MACHINE r
egistry hive must be maint
V-93025 Medium ained.
Windows Server 2019 mus
t have the US DoD CCEB
Interoperability Root CA c
ross-certificates in the Untr
usted Certificates Store on
V-93491 Medium unclassified systems.
Windows Server 2019 mus
t implement protection met
hods such as TLS, encrypt
ed VPNs, or IPsec if the da
ta owner has a strict requir
ement for ensuring data int
egrity and confidentiality i
s maintained at every step
of the data transfer and han
V-93543 Medium dling process.
Windows Server 2019 user
s must be required to enter
a password to access privat
V-93493 Medium e keys stored on the compu
Description
User Account Control (UAC) is a security
mechanism for limiting the elevation of
privileges, including administrative accounts,
unless authorized. This setting enables UAC.
Satisfies: ...
Changing the system's file and directory
permissions allows the possibility of
unauthorized and anonymous modification to
the operating system and installed applications.
The default permissions ...
User Account Control (UAC) is a security
mechanism for limiting the elevation of
privileges, including administrative accounts,
unless authorized. This setting controls the
behavior of elevation ...
The registry is integral to the function, security,
and stability of the Windows system. Changing
the system's registry permissions allows the
possibility of unauthorized and anonymous ...
To ensure users do not experience denial of
service when performing certificate-based
authentication to DoD websites due to the
system chaining to a root other than DoD Root
CAs, the US DoD CCEB ...
Information can be either unintentionally or
maliciously disclosed or modified during
preparation for transmission, for example,
during aggregation, at protocol transformation
points, and during ...
If the private key is discovered, an attacker can
use the key to authenticate as an authorized
user and gain access to the network
infrastructure. The cornerstone of the PKI is the
Finding
ID Severity Title Description
ter. private key ...
Windows Server 2019 Ker Certain encryption types are no longer
beros encryption types mus considered secure. The DES and RC4
t be configured to prevent t encryption suites must not be used for Kerberos
he use of DES and RC4 en encryption. Note: Organizations with domain
V-93495 Medium cryption suites. controllers running earlier ...
A system faces an increased vulnerability threat
if the built-in guest account is not disabled.
Windows Server 2019 mus This is a known account that exists on all
t have the built-in guest ac Windows systems and cannot be deleted. This
V-93497 Medium count disabled. account is ...
Saving passwords in the Remote Desktop
Client could allow an unauthorized user to
Windows Server 2019 mus establish a remote desktop session to another
t not save passwords in the system. The system must be configured to
V-93425 Medium Remote Desktop Client. prevent users from saving ...
Windows Server 2019 Win Unencrypted remote access to a system can
dows Remote Management allow sensitive information to be compromised.
(WinRM) client must not a Windows remote management connections
V-93499 Medium llow unencrypted traffic. must be encrypted to prevent this. Satisfies: ...
When inappropriate audit settings are
Windows Server 2019 Acti configured for directory service database
ve Directory Domain objec objects, it may be possible for a user or process
t must be configured with to update the data without generating any
V-93123 Medium proper audit settings. tracking data. The ...
Windows Server 2019 Exp Exploit protection enables mitigations against
loit Protection system-leve potential threats at the system and application
l mitigation, Validate exce level. Several mitigations, including "Validate
ption chains (SEHOP), mu exception chains (SEHOP)", are enabled by
V-93317 Medium st be on. default at ...
Exploit protection enables mitigations against
Windows Server 2019 Exp potential threats at the system and application
loit Protection system-leve level. Several mitigations, including "Control
l mitigation, Control flow flow guard (CFG)", are enabled by default at
V-93315 Medium guard (CFG), must be on. the ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Pol troubleshoot service disruptions, and analyze
icy Change - Authorization compromises that have occurred, as well as
V-93099 Medium Policy Change successes. detect attacks. ...
Windows Server 2019 Exp Exploit protection enables mitigations against
V-93313 Medium loit Protection system-leve potential threats at the system and application
Finding
ID Severity Title Description
l mitigation, Data Executio level. Several mitigations, including "Data
n Prevention (DEP), must Execution Prevention (DEP)", are enabled by
be on. default at ...
Attachments from outside sources may contain
Windows Server 2019 mus malicious code. Preserving zone of origin
t preserve zone informatio (Internet, intranet, local, restricted) information
n when saving attachments on file attachments allows Windows to
V-93311 Medium . determine risk.
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Pol troubleshoot service disruptions, and analyze
icy Change - Audit Policy compromises that have occurred, as well as
V-93095 Medium Change failures. detect attacks. ...
Windows Server 2019 setti Requests sent on the secure channel are
ng Domain member: Digit authenticated, and sensitive information (such
ally encrypt or sign secure as passwords) is encrypted, but not all
channel data (always) must information is encrypted. If this policy is
V-93547 Medium be configured to Enabled. enabled, outgoing secure ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Pol troubleshoot service disruptions, and analyze
icy Change - Authenticatio compromises that have occurred, as well as
V-93097 Medium n Policy Change successes. detect attacks. ...
Unnecessary services increase the attack
surface of a system. Some of these services
Windows Server 2019 mus may not support required levels of
t not have Simple TCP/IP authentication or encryption or may provide
V-93387 Medium Services installed. unauthorized access to the system.
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit De troubleshoot service disruptions, and analyze
tailed Tracking - Process C compromises that have occurred, as well as
V-93091 Medium reation successes. detect attacks. ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Pol troubleshoot service disruptions, and analyze
icy Change - Audit Policy compromises that have occurred, as well as
V-93093 Medium Change successes. detect attacks. ...
Windows Server 2019 Exp Exploit protection enables mitigations against
loit Protection system-leve potential threats at the system and application
l mitigation, Validate heap level. Several mitigations, including "Validate
V-93319 Medium integrity, must be on. heap integrity", are enabled by default at the ...
Finding
ID Severity Title Description
Windows Server 2019 Den
y log on locally user right
on domain-joined member
servers must be configured Inappropriate granting of user rights can
to prevent access from hig provide system, administrative, and other high-
hly privileged domain acco level capabilities. The "Deny log on locally"
unts and from unauthentica user right defines accounts that are prevented
V-93015 Medium ted access on all systems. from logging ...
Inappropriate granting of user rights can
Windows Server 2019 Allo provide system, administrative, and other high-
w log on locally user right level capabilities. Accounts with the "Allow log
must only be assigned to th on locally" user right can log on interactively to
V-93017 Medium e Administrators group. a system.
Enumeration of administrator accounts when
Windows Server 2019 adm elevating can provide part of the logon
inistrator accounts must no information to an unauthorized user. This
t be enumerated during ele setting configures the system to always require
V-93517 Medium vation. users to type in a ...
Windows Server 2019 Den
y log on as a batch job user
right on domain-joined me
mber servers must be confi
gured to prevent access fro Inappropriate granting of user rights can
m highly privileged domai provide system, administrative, and other high-
n accounts and from unaut level capabilities. The "Deny log on as a batch
henticated access on all sys job" user right defines accounts that are
V-93011 Medium tems. prevented from ...
Windows Server 2019 Den
y log on as a service user ri
ght on domain-joined mem
ber servers must be config
ured to prevent access fro Inappropriate granting of user rights can
m highly privileged domai provide system, administrative, and other high-
n accounts. No other group level capabilities. The "Deny log on as a
s or accounts must be assig service" user right defines accounts that are
V-93013 Medium ned this right. denied logon as a ...
Some features may communicate with the
vendor, sending system information or
Windows Server 2019 Tele downloading data or components for the
metry must be configured t feature. Limiting this capability will prevent
V-93257 Medium o Security or Basic. potentially sensitive information ...
Windows Server 2019 user A system that does not require authentication
s must be prompted to auth when resuming from sleep may provide access
V-93255 Medium enticate when the system to unauthorized users. Authentication must
Finding
ID Severity Title
wakes from sleep (plugged always be required when accessing a system.
in). This setting ...
Windows Server 2019 per
missions for the system dri
ve root directory (usually
C:\) must conform to mini
V-93019 Medium mum requirements.
Windows Server 2019 gro
up policy objects must be r
eprocessed even if they ha
V-93251 Medium ve not changed.
Windows Server 2019 mus
t be configured to use FIPS
-compliant algorithms for e
ncryption, hashing, and sig
V-93511 Medium ning.
Windows Server 2019 mus
t be configured to audit Ac
count Logon - Credential
V-93155 Medium Validation failures.
Windows Server 2019 mus
t be configured to audit De
tailed Tracking - Plug and
V-93157 Medium Play Events successes.
Windows Server 2019 mus
t be configured to audit Ac
count Management - User
Account Management failu
V-92983 Medium res.
Windows Server 2019 mus
t force audit policy subcate
gory settings to override au
dit policy category settings
V-93151 Medium . detect attacks. ...
Windows Server 2019 mus
t be configured to audit Ac
count Logon - Credential
V-93153 Medium Validation successes.
Description
Changing the system's file and directory
permissions allows the possibility of
unauthorized and anonymous modification to
the operating system and installed applications.
The default permissions ...
Registry entries for group policy settings can
potentially be changed from the required
configuration. This could occur as part of
troubleshooting or by a malicious process on a
compromised ...
This setting ensures the system uses algorithms
that are FIPS-compliant for encryption,
hashing, and signing. FIPS-compliant
algorithms meet specific standards established
by the U.S. Government ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Finding
ID Severity Title Description
Windows PowerShell 5.x added advanced
logging features that can provide additional
Windows Server 2019 mus detail when malware has been run on a system.
t not have Windows Power Disabling the Windows PowerShell 2.0
V-93397 Medium Shell 2.0 installed. mitigates against a downgrade ...
Windows Server 2019 mus SMBv1 is a legacy protocol that uses the MD5
t have the Server Message algorithm as part of SMB. MD5 is known to be
Block (SMB) v1 protocol vulnerable to a number of attacks such as
disabled on the SMB client collision and preimage attacks as well as not
V-93395 Medium . being FIPS compliant.
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Lo troubleshoot service disruptions, and analyze
gon/Logoff - Group Memb compromises that have occurred, as well as
V-93159 Medium ership successes. detect attacks. ...
SMBv1 is a legacy protocol that uses the MD5
Windows Server 2019 mus algorithm as part of SMB. MD5 is known to be
t not the Server Message B vulnerable to a number of attacks such as
lock (SMB) v1 protocol in collision and preimage attacks and is not FIPS
V-93391 Medium stalled. compliant.
Windows Server 2019 Re This setting controls the ability of users to
mote Desktop Services mu supply passwords automatically as part of their
st always prompt a client f remote desktop connection. Disabling this
or passwords upon connect setting would allow anyone to use the stored
V-93427 Medium ion. credentials in ...
Windows Server 2019 mus
t have the DoD Interoperab
ility Root Certificate Auth To ensure users do not experience denial of
ority (CA) cross-certificate service when performing certificate-based
s installed in the Untrusted authentication to DoD websites due to the
Certificates Store on uncla system chaining to a root other than DoD Root
V-93489 Medium ssified systems. CAs, the DoD ...
Windows Server 2019 user A system that does not require authentication
s must be prompted to auth when resuming from sleep may provide access
enticate when the system to unauthorized users. Authentication must
wakes from sleep (on batte always be required when accessing a system.
V-93253 Medium ry). This setting ...
Domain controllers are part of the chain of trust
for PKI authentications. Without the
Windows Server 2019 dom appropriate certificate, the authenticity of the
ain controllers must have a domain controller cannot be verified. Domain
V-93481 Medium PKI server certificate. controllers ...
V-93363 Medium Windows Server 2019 Exp Exploit protection provides a means of enabling
Finding
ID Severity Title Description
loit Protection mitigations additional mitigations against potential threats
must be configured for WI at the system and application level. Without
NWORD.EXE. these additional application protections,
Windows may ...
Windows Server 2019 Earl Compromised boot drivers can introduce
y Launch Antimalware, Bo malware prior to protection mechanisms that
ot-Start Driver Initializatio load after initialization. The Early Launch
n Policy must prevent boot Antimalware driver can limit allowed drivers
V-93249 Medium drivers identified as bad. based on classifications ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for VP these additional application protections,
V-93361 Medium REVIEW.EXE. Windows may ...
Windows Server 2019 mus Maintaining an audit trail of system activity
t be configured to audit Ac logs can help identify configuration errors,
count Management - Other troubleshoot service disruptions, and analyze
Account Management Eve compromises that have occurred, as well as
V-93089 Medium nts successes. detect attacks. ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for wor these additional application protections,
V-93367 Medium dpad.exe. Windows may ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for wm these additional application protections,
V-93365 Medium player.exe. Windows may ...
Inappropriate granting of user rights can
Windows Server 2019 Prof provide system, administrative, and other high-
ile single process user right level capabilities. Accounts with the "Profile
must only be assigned to th single process" user right can monitor non-
V-93083 Medium e Administrators group. system processes ...
Windows Server 2019 Perf Inappropriate granting of user rights can
orm volume maintenance t provide system, administrative, and other high-
asks user right must only b level capabilities. Accounts with the "Perform
e assigned to the Administr volume maintenance tasks" user right can
V-93081 Medium ators group. manage volume and ...
Windows Server 2019 Tak Inappropriate granting of user rights can
e ownership of files or othe provide system, administrative, and other high-
r objects user right must on level capabilities. Accounts with the "Take
V-93087 Medium ly be assigned to the Admi ownership of files or other objects" user right
Finding
ID Severity Title
nistrators group.
Windows Server 2019 Rest
ore files and directories us
er right must only be assig
ned to the Administrators g
V-93085 Medium roup.
Windows Server 2019 Den
y log on as a service user ri
ght must be configured to i
nclude no accounts or grou
ps (blank) on domain contr
V-93003 Medium ollers.
Windows Server 2019 Den
y log on as a batch job user
right on domain controllers
must be configured to prev
V-93001 Medium ent unauthenticated access.
Windows Server 2019 Acc
ess this computer from the
network user right must on
ly be assigned to the Admi
nistrators and Authenticate
d Users groups on domain-
joined member servers and
V-93007 Medium standalone systems.
Windows Server 2019 Den
y log on locally user right
on domain controllers must
be configured to prevent u
V-93005 Medium nauthenticated access.
Windows Server 2019 virt
ualization-based security
must be enabled with the p
latform security level confi
gured to Secure Boot or Se
cure Boot with DMA Prote
V-93245 Medium ction.
Windows Server 2019 Den
y access to this computer fr
om the network user right
on domain-joined member
servers must be configured
to prevent access from hig
V-93009 Medium hly privileged domain acco
Description
can take ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. Accounts with the "Restore
files and directories" user right can circumvent
file and ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. The "Deny log on as a
service" user right defines accounts that are
denied logon as a ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. The "Deny log on as a batch
job" user right defines accounts that are
prevented from ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. Accounts with the "Access
this computer from the network" user right may
access ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. The "Deny log on locally"
user right defines accounts that are prevented
from logging ...
Virtualization Based Security (VBS) provides
the platform for the additional security features
Credential Guard and virtualization-based
protection of code integrity. Secure Boot is the
minimum ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. The "Deny access to this
computer from the network" user right defines
the accounts ...
Finding
ID Severity Title
unts and local accounts an
d from unauthenticated acc
ess on all systems.
Windows Server 2019 hard
ened Universal Naming Co
nvention (UNC) paths mus
t be defined to require mut
ual authentication and inte
grity for at least the \\*\SY
SVOL and \\*\NETLOGO
V-93241 Medium N shares.
Windows Server 2019 mus
t be configured to enable R
emote host allows delegati
on of non-exportable crede
V-93243 Medium ntials.
Windows Server 2019 loca
l users on domain-joined m
ember servers must not be
V-93419 Medium enumerated.
Windows Server 2019 mus
t be configured to audit Ob
ject Access - Other Object
V-93163 Medium Access Events successes.
Windows Server 2019 mus
t be configured to audit Ob
ject Access - Other Object
V-93165 Medium Access Events failures.
Windows Server 2019 mus
t be configured to audit Ob
ject Access - Removable S
V-93167 Medium torage successes.
Windows Server 2019 mus
t be configured to audit Ob
ject Access - Removable S
V-93169 Medium torage failures.
Windows Server 2019 mus Basic authentication uses plain-text passwords
t disable Basic authenticati that could be used to compromise a system.
V-93413 Medium on for RSS feeds over HT Disabling Basic authentication will reduce this
Description
Additional security requirements are applied to
UNC paths specified in hardened UNC paths
before allowing access to them. This aids in
preventing tampering with or spoofing of
connections to these ...
An exportable version of credentials is
provided to remote hosts when using credential
delegation which exposes them to theft on the
remote host. Restricted Admin mode or Remote
Credential Guard ...
The username is one part of logon credentials
that could be used to gain access to a system.
Preventing the enumeration of users limits this
information to authorized personnel.
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Finding
ID Severity Title Description
TP. potential.
Windows Server 2019 mus Indexing of encrypted files may expose
t prevent Indexing of encry sensitive data. This setting prevents encrypted
V-93415 Medium pted files. files from being indexed.
Executing application servers on the same host
Windows Server 2019 dom machine with a directory server may
ain controllers must run on substantially weaken the security of the
a machine dedicated to that directory server. Web or database server
V-93417 Medium function. applications usually require ...
Windows Server 2019 mus SMBv1 is a legacy protocol that uses the MD5
t have the Server Message algorithm as part of SMB. MD5 is known to be
Block (SMB) v1 protocol vulnerable to a number of attacks such as
disabled on the SMB serve collision and preimage attacks as well as not
V-93393 Medium r. being FIPS compliant.
Slide shows that are displayed on the lock
screen could display sensitive information to
Windows Server 2019 mus unauthorized personnel. Turning off this feature
t prevent the display of slid will limit access to the information to a logged-
V-93399 Medium e shows on the lock screen. on user.
Windows Server 2019 mus Access by anonymous users must be restricted.
t be configured to prevent If this setting is enabled, anonymous users have
anonymous users from hav the same rights and permissions as the built-in
ing the same permissions a Everyone group. Anonymous users must not
V-93293 Medium s the Everyone group. have these ...
Windows Server 2019 mus Using a whitelist provides a configuration
t employ a deny-all, permit management method to allow the execution of
-by-exception policy to all only authorized software. Using only
ow the execution of author authorized software decreases risk by limiting
V-93379 Medium ized software programs. the number of potential ...
Windows Server 2019 net Enabling interaction with the network selection
work selection user interfa UI allows users to change connections to
ce (UI) must not be display available networks without signing in to
V-93407 Medium ed on the logon screen. Windows.
Some features may communicate with the
vendor, sending system information or
Windows Server 2019 prin downloading data or components for the
ting over HTTP must be tu feature. Turning off this capability will prevent
V-93405 Medium rned off. potentially sensitive ...
Windows Server 2019 dow Some features may communicate with the
nloading print driver packa vendor, sending system information or
ges over HTTP must be tur downloading data or components for the
V-93403 Medium ned off. feature. Turning off this capability will prevent
Finding
ID Severity Title Description
potentially sensitive ...
When the WDigest Authentication protocol is
enabled, plain-text passwords are stored in the
Windows Server 2019 mus Local Security Authority Subsystem Service
t have WDigest Authentica (LSASS), exposing them to theft. WDigest is
V-93401 Medium tion disabled. disabled by ...
Windows Server 2019 mus NTLM sessions that are allowed to fall back to
t prevent NTLM from falli Null (unauthenticated) sessions may gain
V-93297 Medium ng back to a Null session. unauthorized access.
Enabling this setting on all domain controllers
Windows Server 2019 dom in a domain prevents domain members from
ain controllers must be con changing their computer account passwords. If
figured to allow reset of m these passwords are weak or compromised, the
V-93273 Medium achine account passwords. inability to ...
Windows Server 2019 setti
ng Microsoft network serv The server message block (SMB) protocol
er: Digitally sign communi provides the basis for many network
cations (if client agrees) m operations. Digitally signed SMB packets aid in
ust be configured to Enabl preventing man-in-the-middle attacks. If this
V-93561 Medium ed. policy is enabled, the SMB ...
Windows Server 2019 mus
t not have the Microsoft F Unnecessary services increase the attack
TP service installed unless surface of a system. Some of these services
required by the organizatio may not support required levels of
V-93421 Medium n. authentication or encryption.
Inappropriate granting of user rights can
Windows Server 2019 Loc provide system, administrative, and other high-
k pages in memory user rig level capabilities. The "Lock pages in memory"
ht must not be assigned to user right allows physical memory to be
V-93077 Medium any groups or accounts. assigned to ...
Windows Server 2019 Loa Inappropriate granting of user rights can
d and unload device driver provide system, administrative, and other high-
s user right must only be as level capabilities. The "Load and unload device
signed to the Administrator drivers" user right allows a user to load device
V-93075 Medium s group. drivers ...
Windows Server 2019 Re Remote connections must be encrypted to
mote Desktop Services mu prevent interception of data or sensitive
st be configured with the cl information. Selecting "High Level" will ensure
ient connection encryption encryption of Remote Desktop Services
V-92973 Medium set to High Level. sessions in both ...
Windows Server 2019 Incr Inappropriate granting of user rights can
V-93073 Medium ease scheduling priority: us provide system, administrative, and other high-
Finding
ID Severity Title Description
er right must only be assig level capabilities. Accounts with the "Increase
ned to the Administrators g scheduling priority" user right can change a
roup. scheduling ...
Windows Server 2019 serv
ices using Local System th
at use Negotiate when reve Services using Local System that use Negotiate
rting to NTLM authenticati when reverting to NTLM authentication may
on must use the computer i gain unauthorized access if allowed to
dentity instead of authentic authenticate anonymously versus using the
V-93295 Medium ating anonymously. computer identity.
Windows Server 2019 Imp
ersonate a client after authe Inappropriate granting of user rights can
ntication user right must o provide system, administrative, and other high-
nly be assigned to Adminis level capabilities. The "Impersonate a client
trators, Service, Local Serv after authentication" user right allows a
V-93071 Medium ice, and Network Service. program to ...
Windows Server 2019 Sec Inadequate log size will cause the log to fill up
urity event log size must b quickly. This may prevent audit events from
e configured to 196608 KB being recorded properly and require frequent
V-93179 Medium or greater. attention by administrative personnel.
Windows Server 2019 App Inadequate log size will cause the log to fill up
lication event log size must quickly. This may prevent audit events from
be configured to 32768 KB being recorded properly and require frequent
V-93177 Medium or greater. attention by administrative personnel.
Maintaining an audit trail of system activity
logs can help identify configuration errors,
Windows Server 2019 Pow troubleshoot service disruptions, and analyze
erShell script block loggin compromises that have occurred, as well as
V-93175 Medium g must be enabled. detect attacks. ...
Maintaining an audit trail of system activity
Windows Server 2019 com logs can help identify configuration errors,
mand line data must be inc troubleshoot service disruptions, and analyze
luded in process creation e compromises that have occurred, as well as
V-93173 Medium vents. detect attacks. ...
Windows Server 2019 Mo Inappropriate granting of user rights can
dify firmware environment provide system, administrative, and other high-
values user right must only level capabilities. Accounts with the "Modify
be assigned to the Adminis firmware environment values" user right can
V-93079 Medium trators group. change hardware ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit log troubleshoot service disruptions, and analyze
V-93171 Medium off successes. compromises that have occurred, as well as
Finding
ID Severity Title Description
detect attacks. ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit DS troubleshoot service disruptions, and analyze
Access - Directory Service compromises that have occurred, as well as
V-93139 Medium Changes failures. detect attacks. ...
Windows Server 2019 Acti When inappropriate audit settings are
ve Directory AdminSDHol configured for directory service database
der object must be configu objects, it may be possible for a user or process
red with proper audit settin to update the data without generating any
V-93129 Medium gs. tracking data. The ...
The krbtgt account acts as a service account for
The password for the krbtg the Kerberos Key Distribution Center (KDC)
t account on a domain mus service. The account and password are created
t be reset at least every 180 when a domain is created and the password is
V-93211 Medium days. typically ...
Windows Server 2019 audi
t records must be backed u Protection of log data includes assuring the log
p to a different system or data is not accidentally lost or deleted. Audit
media than the system bein information stored in one location is vulnerable
V-93183 Medium g audited. to accidental or incidental deletion or alteration.
Web-based programs may attempt to install
Windows Server 2019 user malicious software on a system. Ensuring users
s must be notified if a web- are notified if a web-based program attempts to
based program attempts to install software allows them to refuse the
V-93267 Medium install software. installation.
Windows Server 2019 Syst Inadequate log size will cause the log to fill up
em event log size must be quickly. This may prevent audit events from
configured to 32768 KB or being recorded properly and require frequent
V-93181 Medium greater. attention by administrative personnel.
Windows Server 2019 mus
t prevent attachments from Attachments from RSS feeds may not be
being downloaded from R secure. This setting will prevent attachments
V-93265 Medium SS feeds. from being downloaded from RSS feeds.
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for On these additional application protections,
V-93349 Medium eDrive.exe. Windows may ...
Windows Server 2019 File The shell protocol will limit the set of folders
Explorer shell protocol mu that applications can open when run in
V-93263 Medium st run in protected mode. protected mode. Restricting files an application
Finding
ID Severity Title
Windows Server 2019 mus
t, at a minimum, off-load a
udit records of interconnec
ted systems in real time an
d off-load standalone syste
V-93185 Medium ms weekly.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for MS
V-93345 Medium PUB.EXE.
Windows Server 2019 per
missions for the Applicatio
n event log must prevent a
ccess by non-privileged ac
V-93189 Medium counts.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for lyn
V-93341 Medium c.exe.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for MS
V-93343 Medium ACCESS.EXE.
Windows Server 2019 mus
t disable automatically sign
ing in the last interactive u
ser after a system-initiated
V-93269 Medium restart.
Windows Server 2019 pass
words for the built-in Adm
inistrator account must be
changed at least every 60 d
V-93473 Medium ays.
Windows Server 2019 mus
t have the roles and feature
s required by the system do
V-93381 Medium cumented.
Description
can open to a limited set of folders increases the
security ...
Protection of log data includes assuring the log
data is not accidentally lost or deleted. Audit
information stored in one location is vulnerable
to accidental or incidental deletion or alteration.
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Windows can be configured to automatically
sign the user back in after a Windows Update
restart. Some protections are in place to help
ensure this is done in a secure fashion;
however, disabling ...
The longer a password is in use, the greater the
opportunity for someone to gain unauthorized
knowledge of the password. The built-in
Administrator account is not generally used and
its password ...
Unnecessary roles and features increase the
attack surface of a system. Limiting roles and
features of a system to only those necessary
reduces this potential. The standard installation
option ...
Finding
ID Severity Title Description
Permitting passwords to be changed in
Windows Server 2019 min immediate succession within the same day
imum password age must b allows users to cycle passwords through their
e configured to at least one history database. This enables users to
V-93471 Medium day. effectively negate the purpose ...
The longer a password is in use, the greater the
Windows Server 2019 max opportunity for someone to gain unauthorized
imum password age must b knowledge of the passwords. Scheduled
e configured to 60 days or changing of passwords hinders the ability of
V-93477 Medium less. unauthorized system ...
Passwords that do not expire or are reused
Windows Server 2019 pass increase the exposure of a password with
words must be configured t greater probability of being discovered or
V-93475 Medium o expire. cracked.
Windows Server 2019 mus
t employ automated mecha
nisms to determine the stat
e of system components wi
th regard to flaw remediati
on using the following freq
uency: continuously, wher
e Host Based Security Syst
em (HBSS) is used; 30 day
s, for any additional intern
al network scans not cover Without the use of automated mechanisms to
ed by HBSS; and annually, scan for security flaws on a continuous and/or
for external scans by Com periodic basis, the operating system or other
puter Network Defense Ser system components may remain vulnerable to
V-93567 Medium vice Provider (CNDSP). the exploits ...
A system is more vulnerable to unauthorized
Windows Server 2019 pass access when system users recycle the same
word history must be confi password several times without being required
gured to 24 passwords rem to change to a unique password on a regularly
V-93479 Medium embered. scheduled basis. ...
Windows Server 2019 mus A firewall provides a line of defense against
t have a host-based firewal attack, allowing or blocking inbound and
V-93571 Medium l installed and enabled. outbound connections based on a set of rules.
Unnecessary services increase the attack
surface of a system. Some of these services
Windows Server 2019 mus may not support required levels of
t not have the Fax Server r authentication or encryption or may provide
V-93383 Medium ole installed. unauthorized access to the system.
Windows Server 2019 Ena Inappropriate granting of user rights can
V-93047 Medium ble computer and user acco provide system, administrative, and other high-
Finding
ID Severity Title Description
unts to be trusted for deleg level capabilities. The "Enable computer and
ation user right must not be user accounts to be trusted for delegation" user
assigned to any groups or a right allows ...
ccounts on domain-joined
member servers and standa
lone systems.
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - Other System Event compromises that have occurred, as well as
V-93109 Medium s successes. detect attacks. ...
Windows Server 2019 For Inappropriate granting of user rights can
ce shutdown from a remote provide system, administrative, and other high-
system user right must onl level capabilities. Accounts with the "Force
y be assigned to the Admin shutdown from a remote system" user right can
V-93067 Medium istrators group. remotely shut ...
Windows Server 2019 mus Maintaining an audit trail of system activity
t be configured to audit Ac logs can help identify configuration errors,
count Management - Secur troubleshoot service disruptions, and analyze
ity Group Management suc compromises that have occurred, as well as
V-92979 Medium cesses. detect attacks. ...
Windows Server 2019 Cre Inappropriate granting of user rights can
ate permanent shared objec provide system, administrative, and other high-
ts user right must not be as level capabilities. Accounts with the "Create
signed to any groups or acc permanent shared objects" user right could
V-93061 Medium ounts. expose sensitive ...
Inappropriate granting of user rights can
Windows Server 2019 Cre provide system, administrative, and other high-
ate symbolic links user rig level capabilities. Accounts with the "Create
ht must only be assigned to symbolic links" user right can create pointers to
V-93063 Medium the Administrators group. other ...
If temporary user accounts remain active when
Windows Server 2019 mus no longer needed or for an excessive period,
t automatically remove or these accounts may be used to gain
disable temporary user acc unauthorized access. To mitigate this risk,
V-92975 Medium ounts after 72 hours. automated termination of ...
Unnecessary services increase the attack
Windows Server 2019 mus surface of a system. Some of these services
t not have the Peer Name may not support required levels of
Resolution Protocol install authentication or encryption or may provide
V-93385 Medium ed. unauthorized access to the system.
Windows Server 2019 mus Emergency administrator accounts are
V-92977 Medium t automatically remove or privileged accounts established in response to
Finding
ID Severity Title Description
disable emergency account crisis situations where the need for rapid
s after the crisis is resolved account activation is required. Therefore,
or within 72 hours. emergency account ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - Security State Chan compromises that have occurred, as well as
V-93113 Medium ge successes. detect attacks. ...
Windows Server 2019 Re Allowing unsecure RPC communication
mote Desktop Services mu exposes the system to man-in-the-middle
st require secure Remote P attacks and data disclosure attacks. A man-in-
rocedure Call (RPC) comm the-middle attack occurs when an intruder
V-92971 Medium unications. captures packets between a ...
Windows Server 2019 Gen Inappropriate granting of user rights can
erate security audits user ri provide system, administrative, and other high-
ght must only be assigned t level capabilities. The "Generate security
o Local Service and Netwo audits" user right specifies users and processes
V-93069 Medium rk Service. that can ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - IPsec Driver succes compromises that have occurred, as well as
V-93105 Medium ses. detect attacks. ...
A known vulnerability in Windows could allow
The Windows Explorer Pre the execution of malicious code by either
view pane must be disable opening a compromised document or viewing it
V- d for Windows Server 201 in the Windows Preview pane. Organizations
102625 Medium 9. must disable the ...
Windows Server 2019 Exp Exploit protection provides a means of enabling
loit Protection mitigations additional mitigations against potential threats
must be configured for jav at the system and application level. Without
a.exe, javaw.exe, and java these additional application protections,
V-93339 Medium ws.exe. Windows may ...
The lack of password protection enables
anyone to gain access to the information
Windows Server 2019 acc system, which opens a backdoor opportunity
ounts must require passwor for intruders to compromise the system as well
V-93439 Medium ds. as other resources. ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit DS troubleshoot service disruptions, and analyze
Access - Directory Service compromises that have occurred, as well as
V-93133 Medium Access successes. detect attacks. ...
Finding
ID Severity Title Description
Windows Server 2019 mus Maintaining an audit trail of system activity
t be configured to audit Ac logs can help identify configuration errors,
count Management - User troubleshoot service disruptions, and analyze
Account Management succ compromises that have occurred, as well as
V-92981 Medium esses. detect attacks. ...
Windows Server 2019 mus
t restrict remote calls to the
Security Account Manager
(SAM) to Administrators o The Windows SAM stores users' passwords.
n domain-joined member s Restricting Remote Procedure Call (RPC)
ervers and standalone syste connections to the SAM to Administrators
V-93045 Medium ms. helps protect those credentials.
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Pri troubleshoot service disruptions, and analyze
vilege Use - Sensitive Privi compromises that have occurred, as well as
V-93103 Medium lege Use failures. detect attacks. ...
Windows Server 2019 dom Credential Guard uses virtualization-based
ain-joined systems must ha security to protect data that could be used in
ve a Trusted Platform Mod credential theft attacks if compromised. A
ule (TPM) enabled and rea number of system requirements must be met in
V-93213 Medium dy for use. order for ...
Shared accounts (accounts where two or more
people log on with the same user identification)
Windows Server 2019 shar do not provide adequate identification and
ed user accounts must not authentication. There is no way to provide for
V-93437 Medium be permitted. ...
Windows Server 2019 Acc
ess this computer from the
network user right must on
ly be assigned to the Admi Inappropriate granting of user rights can
nistrators, Authenticated U provide system, administrative, and other high-
sers, and Enterprise Domai level capabilities. Accounts with the "Access
n Controllers groups on do this computer from the network" right may
V-92995 Medium main controllers. access resources ...
Windows Server 2019 per Maintaining an audit trail of system activity
missions for the System ev logs can help identify configuration errors,
ent log must prevent acces troubleshoot service disruptions, and analyze
s by non-privileged accoun compromises that have occurred, as well as
V-93193 Medium ts. detect attacks. ...
Windows Server 2019 Eve Protecting audit information also includes
nt Viewer must be protecte identifying and protecting the tools used to
d from unauthorized modif view and manipulate log data. Therefore,
V-93195 Medium ication and deletion. protecting audit tools is necessary to prevent
Finding
ID Severity Title
Windows Server 2019 Ma
nage auditing and security
log user right must only be
assigned to the Administrat
V-93197 Medium ors group.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for plu
V-93353 Medium gin-container.exe.
Windows Server 2019 mus
t have a host-based intrusio
n detection or prevention s
V-93219 Medium ystem.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for OU
V-93351 Medium TLOOK.EXE.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for PP
V-93357 Medium TVIEW.EXE.
Windows Server 2019 Den
y access to this computer fr
om the network user right
on domain controllers must
be configured to prevent u
V-92999 Medium nauthenticated access.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for PO
V-93355 Medium WERPNT.EXE.
Windows Server 2019 man
ually managed application
account passwords must be
at least 15 characters in len
V-93461 Medium gth.
Description
unauthorized ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. Accounts with the "Manage
auditing and security log" user right can
manage the ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
A properly configured Host-based Intrusion
Detection System (HIDS) or Host-based
Intrusion Prevention System (HIPS) provides
another level of defense against unauthorized
access to critical ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. The "Deny access to this
computer from the network" user right defines
the accounts ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Application/service account passwords must be
of sufficient length to prevent being easily
cracked. Application/service accounts that are
manually managed must have passwords at
least 15 ...
Finding
ID Severity Title Description
Information systems not protected with strong
Windows Server 2019 min password schemes (including passwords of
imum password length mu minimum length) provide the opportunity for
st be configured to 14 char anyone to crack the password, thus gaining
V-93463 Medium acters. access to the system ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - IPsec Driver failure compromises that have occurred, as well as
V-93107 Medium s. detect attacks. ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit DS troubleshoot service disruptions, and analyze
Access - Directory Service compromises that have occurred, as well as
V-93135 Medium Access failures. detect attacks. ...
Windows Server 2019 Bac Inappropriate granting of user rights can
k up files and directories u provide system, administrative, and other high-
ser right must only be assig level capabilities. Accounts with the "Back up
ned to the Administrators g files and directories" user right can circumvent
V-93053 Medium roup. file and ...
Windows Server 2019 Exp Exploit protection enables mitigations against
loit Protection system-leve potential threats at the system and application
l mitigation, Randomize m level. Several mitigations, including
emory allocations (Bottom "Randomize memory allocations (Bottom-Up
V-93565 Medium -Up ASLR), must be on. ASLR)", are enabled ...
PKU2U is a peer-to-peer authentication
Windows Server 2019 mus protocol. This setting prevents online identities
t prevent PKU2U authentic from authenticating to domain-joined systems.
ation using online identitie Authentication will be centrally managed with
V-93299 Medium s. Windows user ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
Windows Server 2019 mus troubleshoot service disruptions, and analyze
t be configured to audit log compromises that have occurred, as well as
V-92969 Medium on failures. detect attacks. ...
Inappropriate granting of user rights can
Windows Server 2019 Cre provide system, administrative, and other high-
ate a pagefile user right mu level capabilities. Accounts with the "Create a
st only be assigned to the pagefile" user right can change the size of a
V-93055 Medium Administrators group. pagefile, ...
Windows Server 2019 Use User Account Control (UAC) is a security
r Account Control approva mechanism for limiting the elevation of
V-93431 Medium l mode for the built-in Ad privileges, including administrative accounts,
Finding
ID Severity Title Description
ministrator must be enable unless authorized. This setting configures the
d. built-in ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - Security System Ext compromises that have occurred, as well as
V-93115 Medium ension successes. detect attacks. ...
Windows Server 2019 Den
y log on through Remote D Inappropriate granting of user rights can
esktop Services user right provide system, administrative, and other high-
on domain controllers must level capabilities. The "Deny log on through
be configured to prevent u Remote Desktop Services" user right defines
V-92963 Medium nauthenticated access. the accounts that ...
Windows Server 2019 Win Digest authentication is not as strong as other
dows Remote Management options and may be subject to man-in-the-
(WinRM) client must not u middle attacks. Disallowing Digest
V-93505 Medium se Digest authentication. authentication will reduce this potential.
Windows Server 2019 mac Unattended systems are susceptible to
hine inactivity limit must b unauthorized use and should be locked when
e set to 15 minutes or less, unattended. The screen saver should be set at a
locking the system with th maximum of 15 minutes and be password
V-92961 Medium e screen saver. protected. This protects ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
Windows Server 2019 mus troubleshoot service disruptions, and analyze
t be configured to audit log compromises that have occurred, as well as
V-92967 Medium on successes. detect attacks. ...
Windows Server 2019 Win Unencrypted remote access to a system can
dows Remote Management allow sensitive information to be compromised.
(WinRM) service must not Windows remote management connections
V-93501 Medium allow unencrypted traffic. must be encrypted to prevent this. Satisfies: ...
Windows Server 2019 Den
y log on through Remote D
esktop Services user right
on domain-joined member
servers must be configured
to prevent access from hig Inappropriate granting of user rights can
hly privileged domain acco provide system, administrative, and other high-
unts and all local accounts level capabilities. The "Deny log on through
and from unauthenticated a Remote Desktop Services" user right defines
V-92965 Medium ccess on all systems. the accounts that ...
Windows Server 2019 Exp Exploit protection provides a means of enabling
V-93337 Medium loit Protection mitigations additional mitigations against potential threats
Finding
ID Severity Title Description
must be configured for IN at the system and application level. Without
FOPATH.EXE. these additional application protections,
Windows may ...
Windows Server 2019 Cre
ate global objects user righ Inappropriate granting of user rights can
t must only be assigned to provide system, administrative, and other high-
Administrators, Service, L level capabilities. Accounts with the "Create
ocal Service, and Network global objects" user right can create objects that
V-93059 Medium Service. are ...
Windows Server 2019 mus
t use separate, NSA-appro
ved (Type 1) cryptography
to protect the directory dat
a in transit for directory ser
vice implementations at a c Directory data that is not appropriately
lassified confidentiality lev encrypted is subject to compromise.
el when replication data tra Commercial-grade encryption does not provide
verses a network cleared to adequate protection when the classification
V-93513 Medium a lower level than the data. level of directory data in ...
Windows Server 2019 mus The default Windows configuration caches the
t limit the caching of logon last logon credentials for users who log on
credentials to four or less o interactively to a system. This feature is
n domain-joined member s provided for system availability reasons, such
V-93275 Medium ervers. as the user's ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Pri troubleshoot service disruptions, and analyze
vilege Use - Sensitive Privi compromises that have occurred, as well as
V-93101 Medium lege Use successes. detect attacks. ...
Unsigned network traffic is susceptible to man-
in-the-middle attacks, where an intruder
Windows Server 2019 dom captures packets between the server and the
ain controllers must requir client and modifies them before forwarding
V-93545 Medium e LDAP access signing. them to the client. ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for FL these additional application protections,
V-93331 Medium TLDR.EXE. Windows may ...
Windows Server 2019 syst This requirement addresses protection of user-
ems requiring data at rest p generated data as well as operating system-
rotections must employ cry specific configuration data. Organizations may
ptographic mechanisms to choose to employ different mechanisms to
V-93515 Medium prevent unauthorized discl achieve ...
Finding
ID Severity Title Description
osure and modification of t
he information at rest.
Monitoring system files for changes against a
Windows Server 2019 syst baseline on a regular basis may help detect the
em files must be monitored possible introduction of malicious code on a
V-93203 Medium for unauthorized changes. system.
Windows Defender SmartScreen helps protect
systems from programs downloaded from the
Windows Server 2019 Win internet that may be malicious. Enabling
dows Defender SmartScree SmartScreen can block potentially malicious
V-93411 Medium n must be enabled. programs or warn users.
Windows Server 2019 me
mbers of the Backup Oper Backup Operators are able to read and write to
ators group must have sepa any file in the system, regardless of the rights
rate accounts for backup d assigned to it. Backup and restore rights permit
uties and normal operation users to circumvent the file access restrictions
V-93207 Medium al tasks. ...
Windows Server 2019 man
ually managed application
account passwords must be
changed at least annually o Setting application account passwords to expire
r when a system administra may cause applications to stop functioning.
tor with knowledge of the However, not changing them on a regular basis
password leaves the organi exposes them to attack. If managed service
V-93209 Medium zation. accounts are ...
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Lo troubleshoot service disruptions, and analyze
gon/Logoff - Account Loc compromises that have occurred, as well as
V-92989 Medium kout failures. detect attacks. ...
Windows Server 2019 une Some non-Microsoft SMB servers only support
ncrypted passwords must n unencrypted (plain-text) password
ot be sent to third-party Ser authentication. Sending plain-text passwords
ver Message Block (SMB) across the network when authenticating to an
V-93469 Medium servers. SMB server reduces the ...
When inappropriate audit settings are
Windows Server 2019 Acti configured for directory service database
ve Directory Infrastructure objects, it may be possible for a user or process
object must be configured to update the data without generating any
V-93125 Medium with proper audit settings. tracking data. The ...
Windows Server 2019 Exp Data Execution Prevention provides additional
lorer Data Execution Preve protection by performing checks on memory to
V-93563 Medium ntion must be enabled. help prevent malicious code from running. This
Finding
ID Severity Title
Windows Server 2019 Acti
ve Directory Domain Cont
rollers Organizational Unit
(OU) object must be confi
gured with proper audit set
V-93127 Medium tings.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for iex
V-93335 Medium plore.exe.
Windows Server 2019 Acti
ve Directory Group Policy
objects must be configured
V-93121 Medium with proper audit settings.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for EX
V-93327 Medium CEL.EXE.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for chr
V-93325 Medium ome.exe.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for Acr
V-93323 Medium oRd32.exe.
Windows Server 2019 mus
t restrict unauthenticated R
emote Procedure Call (RP
C) clients from connecting
to the RPC server on doma
in-joined member servers a
V-93453 Medium nd standalone systems.
Windows Server 2019 setti The server message block (SMB) protocol
ng Microsoft network clien provides the basis for many network
V-93557 Medium t: Digitally sign communic operations. If this policy is enabled, the SMB
Description
setting will prevent Data Execution Prevention
from being ...
When inappropriate audit settings are
configured for directory service database
objects, it may be possible for a user or process
to update the data without generating any
tracking data. The ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
When inappropriate audit settings are
configured for directory service database
objects, it may be possible for a user or process
to update the data without generating any
tracking data. The ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
Unauthenticated RPC clients may allow
anonymous access to sensitive information.
Configuring RPC to restrict unauthenticated
RPC clients from connecting to the RPC server
will prevent anonymous ...
Finding
ID Severity Title Description
ations (if server agrees) mu client will request packet signing when
st be configured to Enable communicating with an SMB server ...
d.
Maintaining an audit trail of system activity
Windows Server 2019 mus logs can help identify configuration errors,
t be configured to audit Sy troubleshoot service disruptions, and analyze
stem - System Integrity suc compromises that have occurred, as well as
V-93117 Medium cesses. detect attacks. ...
Windows Server 2019 loca
l administrator accounts m
ust have their privileged to
ken filtered to prevent elev A compromised local administrator account can
ated privileges from being provide means for an attacker to move laterally
used over the network on d between domain systems. With User Account
omain-joined member serv Control enabled, filtering the privileged token
V-93519 Medium ers. for local ...
Windows Server 2019 Acc Inappropriate granting of user rights can
ess Credential Manager as provide system, administrative, and other high-
a trusted caller user right m level capabilities. Accounts with the "Access
ust not be assigned to any Credential Manager as a trusted caller" user
V-93049 Medium groups or accounts. right may be ...
Windows Server 2019 mus To ensure secure DoD websites and DoD-
t have the DoD Root Certif signed code are properly validated, the system
icate Authority (CA) certifi must trust the DoD Root CAs. The DoD root
cates installed in the Truste certificates will ensure that the trust chain is
V-93487 Medium d Root Store. established for ...
The built-in administrator account is a well-
Windows Server 2019 buil known account subject to attack. Renaming this
t-in administrator account account to an unidentified name improves the
V-93281 Medium must be renamed. protection of this account and the system.
The built-in guest account is a well-known user
account on all Windows systems and, as
Windows Server 2019 buil initially installed, does not require a password.
t-in guest account must be This can allow access to system resources by
V-93283 Medium renamed. unauthorized ...
Computer account passwords are changed
Windows Server 2019 max automatically on a regular basis. This setting
imum age for machine acc controls the maximum password age that a
ount passwords must be co machine account may have. This must be set to
V-93285 Medium nfigured to 30 days or less. no more than 30 days, ...
Windows Server 2019 Sma Unattended systems are susceptible to
rt Card removal option mu unauthorized use and must be locked.
V-93287 Medium st be configured to Force L Configuring a system to lock when a smart card
Finding
ID Severity Title
ogoff or Lock Workstation is removed will ensure the system is
. inaccessible when unattended.
Windows Server 2019 mus
t be configured to audit Ac
count Management - Comp
uter Account Management
V-92985 Medium successes.
Windows Server 2019 mus
t be configured to audit Sy
stem - Other System Event
V-93111 Medium s failures.
Windows Server 2019 Ena
ble computer and user acco
unts to be trusted for deleg
ation user right must only
be assigned to the Adminis
trators group on domain co
V-93041 Medium ntrollers.
Windows Server 2019 setti
ng Domain member: Digit
ally encrypt secure channel
data (when possible) must
V-93549 Medium be configured to enabled.
Windows Server 2019 setti
ng Domain member: Digit
ally sign secure channel da
ta (when possible) must be
V-93551 Medium configured to Enabled.
Windows Server 2019 mus
t be configured to audit DS
Access - Directory Service
V-93137 Medium Changes successes.
Windows Server 2019 Use
r Account Control must be
configured to detect applic
ation installations and pro
V-93525 Medium mpt for elevation.
Windows Server 2019 Win
dows Remote Management
(WinRM) service must not
V-93429 Medium store RunAs credentials.
Description
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. The "Enable computer and
user accounts to be trusted for delegation" user
right allows ...
Requests sent on the secure channel are
authenticated, and sensitive information (such
as passwords) is encrypted, but not all
information is encrypted. If this policy is
enabled, outgoing secure ...
Requests sent on the secure channel are
authenticated, and sensitive information (such
as passwords) is encrypted, but the channel is
not integrity checked. If this policy is enabled,
outgoing ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
User Account Control (UAC) is a security
mechanism for limiting the elevation of
privileges, including administrative accounts,
unless authorized. This setting requires
Windows to respond to ...
Storage of administrative credentials could
allow unauthorized access. Disallowing the
storage of RunAs credentials for Windows
Remote Management will prevent them from
Finding
ID Severity Title Description
being used with ...
A computer connecting to a domain controller
will establish a secure channel. The secure
Windows Server 2019 mus channel connection may be subject to
t be configured to require a compromise, such as hijacking or
V-93553 Medium strong session key. eavesdropping, if strong session keys ...
Insecure guest logons allow unauthenticated
Windows Server 2019 inse access to shared folders. Shared resources on a
cure logons to an SMB ser system must require authentication to establish
V-93239 Medium ver must be disabled. proper access.
Unnecessary services increase the attack
surface of a system. Some of these services
Windows Server 2019 mus may not support required levels of
t not have the Telnet Client authentication or encryption or may provide
V-93423 Medium installed. unauthorized access to the system.
The use of complex passwords increases their
Windows Server 2019 mus strength against attack. The built-in Windows
t have the built-in Window password complexity policy requires passwords
s password complexity poli to contain at least three of the four types of
V-93459 Medium cy enabled. characters ...
Windows Server 2019 setti The server message block (SMB) protocol
ng Microsoft network clien provides the basis for many network
t: Digitally sign communic operations. Digitally signed SMB packets aid in
ations (always) must be co preventing man-in-the-middle attacks. If this
V-93555 Medium nfigured to Enabled. policy is enabled, the SMB ...
Windows Server 2019 Allo
w log on through Remote Inappropriate granting of user rights can
Desktop Services user righ provide system, administrative, and other high-
t must only be assigned to t level capabilities. Accounts with the "Allow log
he Administrators group o on through Remote Desktop Services" user
V-92997 Medium n domain controllers. right can access ...
Windows Server 2019 Ker This setting determines the period of time (in
beros policy user ticket ren days) during which a user's Ticket Granting
ewal maximum lifetime m Ticket (TGT) may be renewed. This security
ust be limited to seven day configuration limits the amount of time an
V-93449 Medium s or less. attacker has to ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for fire these additional application protections,
V-93329 Medium fox.exe. Windows may ...
V-93191 Medium Windows Server 2019 per Maintaining an audit trail of system activity
Finding
ID Severity Title Description
missions for the Security e logs can help identify configuration errors,
vent log must prevent acce troubleshoot service disruptions, and analyze
ss by non-privileged accou compromises that have occurred, as well as
nts. detect attacks. ...
This policy setting determines whether the
Kerberos Key Distribution Center (KDC)
Windows Server 2019 Ker validates every request for a session ticket
beros user logon restriction against the user rights policy of the target
V-93443 Medium s must be enforced. computer. The policy is ...
Exploit protection provides a means of enabling
Windows Server 2019 Exp additional mitigations against potential threats
loit Protection mitigations at the system and application level. Without
must be configured for OI these additional application protections,
V-93347 Medium S.EXE. Windows may ...
Windows Server 2019 Acti
ve Directory user accounts,
including administrators,
must be configured to requ
ire the use of a Common A
ccess Card (CAC), Persona
l Identity Verification (PIV
)-compliant hardware toke Smart cards such as the CAC support a two-
n, or Alternate Logon Toke factor authentication technique. This provides a
n (ALT) for user authentic higher level of trust in the asserted identity than
V-93441 Medium ation. use of the username and password for ...
In Kerberos, there are two types of tickets:
Windows Server 2019 Ker Ticket Granting Tickets (TGTs) and Service
beros user ticket lifetime m Tickets. Kerberos tickets have a limited lifetime
ust be limited to 10 hours o so the time an attacker has to implement an
V-93447 Medium r less. attack is ...
This setting determines the maximum amount
Windows Server 2019 Ker of time (in minutes) that a granted session
beros service ticket maxim ticket can be used to access a particular service.
um lifetime must be limite Session tickets are used only to authenticate
V-93445 Medium d to 600 minutes or less. new ...
Windows Server 2019 Use UAC is a security mechanism for limiting the
r Account Control (UAC) elevation of privileges, including administrative
must virtualize file and reg accounts, unless authorized. This setting
istry write failures to per-u configures non-UAC-compliant applications to
V-93529 Medium ser locations. run in ...
Windows Server 2019 com Computer account passwords are changed
puter account password mu automatically on a regular basis. Disabling
st not be prevented from be automatic password changes can make the
V-93455 Medium ing reset. system more vulnerable to malicious access.
Finding
ID Severity Title
Windows Server 2019 Add
workstations to domain use
r right must only be assign
ed to the Administrators gr
V-93039 Medium oup on domain controllers.
Windows Server 2019 Exp
loit Protection mitigations
must be configured for VI
V-93359 Medium SIO.EXE.
Windows Server 2019 setti
ng Microsoft network serv
er: Digitally sign communi
cations (always) must be c
V-93559 Medium onfigured to Enabled.
Windows Server 2019 UIA
ccess applications must not
be allowed to prompt for el
evation without using the s
V-93521 Medium ecure desktop.
Windows Server 2019 Use
r Account Control must, at
a minimum, prompt admin
istrators for consent on the
V-93523 Medium secure desktop.
Windows Server 2019 mus
t be configured to audit Lo
gon/Logoff - Account Loc
V-92987 Medium kout successes.
Windows Server 2019 outd
ated or unused accounts m
ust be removed or disabled
V-93457 Medium . needed.
Windows Server 2019 Use
r Account Control (UAC)
must only elevate UIAcces
s applications that are insta
V-93527 Medium lled in secure locations.
V-93229 Low Windows Server 2019 syst UEFI provides additional security features in
Description
Frequent password changes can ...
Inappropriate granting of user rights can
provide system, administrative, and other high-
level capabilities. Accounts with the "Add
workstations to domain" right may add
computers to a domain. ...
Exploit protection provides a means of enabling
additional mitigations against potential threats
at the system and application level. Without
these additional application protections,
Windows may ...
The server message block (SMB) protocol
provides the basis for many network
operations. Digitally signed SMB packets aid in
preventing man-in-the-middle attacks. If this
policy is enabled, the SMB ...
User Account Control (UAC) is a security
mechanism for limiting the elevation of
privileges, including administrative accounts,
unless authorized. This setting prevents User
Interface ...
User Account Control (UAC) is a security
mechanism for limiting the elevation of
privileges, including administrative accounts,
unless authorized. This setting configures the
elevation ...
Maintaining an audit trail of system activity
logs can help identify configuration errors,
troubleshoot service disruptions, and analyze
compromises that have occurred, as well as
detect attacks. ...
Outdated or unused accounts provide
penetration points that may go undetected.
Inactive accounts must be deleted if no longer
necessary or, if still required, disabled until
UAC is a security mechanism for limiting the
elevation of privileges, including administrative
accounts, unless authorized. This setting
configures Windows to only allow applications
installed in ...
Finding
ID Severity Title Description
ems must have Unified Ext comparison to legacy BIOS firmware,
ensible Firmware Interface including Secure Boot. UEFI is required to
(UEFI) firmware and be co support additional security features in
nfigured to run in UEFI m Windows, including ...
ode, not Legacy BIOS.
Windows systems maintain a global list of
Windows Server 2019 defa shared system resources such as DOS device
ult permissions of global s names, mutexes, and semaphores. Each type of
ystem objects must be stre object is created with a default Discretionary
V-93309 Low ngthened. Access Control List ...
Failure to display the logon banner prior to a
Windows Server 2019 title logon attempt will negate legal proceedings
for legal banner dialog box resulting from unauthorized access to system
must be configured with th resources. Satisfies: SRG-OS-000023-GPOS-
V-93149 Low e appropriate text. 00006, ...
Windows Server 2019 mus Configuring the system to ignore name release
t be configured to ignore N requests, except from WINS servers, prevents a
etBIOS name release reque denial of service (DoS) attack. The DoS
sts except from WINS serv consists of sending a NetBIOS name release
V-93541 Low ers. request to the ...
Windows Update can obtain updates from
Windows Server 2019 Win additional sources instead of Microsoft. In
dows Update must not obta addition to Microsoft, updates can be obtained
in updates from other PCs from and sent to PCs on the local network as
V-93259 Low on the Internet. well as on the ...
Windows Server 2019 sour
ce routing must be configu
red to the highest protectio
n level to prevent Internet
Protocol (IP) source routin Configuring the system to disable IP source
V-93235 Low g. routing protects against spoofing.
Windows Server 2019 Tur Legacy plug-in applications may continue to
ning off File Explorer heap function when a File Explorer session has
termination on corruption become corrupt. Disabling this feature will
V-93261 Low must be disabled. prevent this.
Windows Server 2019 non Windows shares are a means by which files,
-administrative accounts or folders, printers, and other resources can be
groups must only have prin published for network users to access. Improper
t permissions on printer sh configuration can permit access to devices and
V-92993 Low ares. data beyond ...
Windows Server 2019 dire The failure to terminate inactive network
ctory service must be confi connections increases the risk of a successful
V-93509 Low gured to terminate LDAP- attack on the directory server. The longer an
Finding
ID Severity Title Description
based network connections established session is in progress, the more time
to the directory server after an attacker ...
five minutes of inactivity.
Windows Server 2019 App
lication Compatibility Prog Some features may communicate with the
ram Inventory must be pre vendor, sending system information or
vented from collecting data downloading data or components for the
and sending the informatio feature. Turning off this capability will prevent
V-93409 Low n to Microsoft. potentially sensitive ...
The Windows Time Service controls time
The Windows Server 2019 synchronization settings. Time synchronization
time service must synchron is essential for authentication and auditing
ize with an appropriate Do purposes. If the Windows Time Service is used,
V-93187 Low D time source. it must ...
Windows Server 2019 mus
t be configured to prevent I
nternet Control Message Pr
otocol (ICMP) redirects fro Allowing ICMP redirect of routes can lead to
m overriding Open Shortes traffic not being routed properly. When
t Path First (OSPF)-generat disabled, this forces ICMP to be routed via the
V-93237 Low ed routes. shortest path first.
Secure Boot is a standard that ensures systems
boot only to a trusted operating system. Secure
Windows Server 2019 mus Boot is required to support additional security
t have Secure Boot enabled features in Windows, including Virtualization
V-93231 Low . Based ...
Windows Server 2019 Inte
rnet Protocol version 6 (IP
v6) source routing must be
configured to the highest p
rotection level to prevent I Configuring the system to disable IPv6 source
V-93233 Low P source routing. routing protects against spoofing.