DoD WinSvr 2016 MS STIG Comp v2r8 | |
Data collected on: 3/7/2024 4:30:42 PM |
Domain | security.local |
Owner | SECURITY\Domain Admins |
Created | 3/6/2024 7:58:50 AM |
Modified | 3/6/2024 7:59:02 AM |
User Revisions | 1 (AD), 1 (SYSVOL) |
Computer Revisions | 1 (AD), 1 (SYSVOL) |
Unique ID | {25F6438F-A7FD-42D1-AB48-AF18943EA1DD} |
GPO Status | User settings disabled |
Location | Enforced | Link Status | Path |
---|---|---|---|
None |
Name |
---|
NT AUTHORITY\Authenticated Users |
Name | Allowed Permissions | Inherited |
---|---|---|
NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
SECURITY\Domain Admins | Edit settings, delete, modify security | No |
SECURITY\Enterprise Admins | Edit settings, delete, modify security | No |
Policy | Setting |
---|---|
Enforce password history | 24 passwords remembered |
Maximum password age | 60 days |
Minimum password age | 1 days |
Minimum password length | 14 characters |
Password must meet complexity requirements | Enabled |
Store passwords using reversible encryption | Disabled |
Policy | Setting |
---|---|
Account lockout duration | 15 minutes |
Account lockout threshold | 3 invalid logon attempts |
Reset account lockout counter after | 15 minutes |
Policy | Setting |
---|---|
Access Credential Manager as a trusted caller | |
Access this computer from the network | BUILTIN\Administrators, NT AUTHORITY\Authenticated Users |
Act as part of the operating system | |
Allow log on locally | BUILTIN\Administrators |
Back up files and directories | BUILTIN\Administrators |
Create a pagefile | BUILTIN\Administrators |
Create a token object | |
Create global objects | NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Create permanent shared objects | |
Create symbolic links | BUILTIN\Administrators |
Debug programs | BUILTIN\Administrators |
Deny access to this computer from the network | ADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS, BUILTIN\Guests, NT AUTHORITY\Local account |
Deny log on as a batch job | ADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS, BUILTIN\Guests |
Deny log on as a service | ADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS |
Deny log on locally | ADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS, BUILTIN\Guests |
Deny log on through Terminal Services | ADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS, BUILTIN\Guests, NT AUTHORITY\Local account |
Enable computer and user accounts to be trusted for delegation | |
Force shutdown from a remote system | BUILTIN\Administrators |
Generate security audits | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE |
Impersonate a client after authentication | NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Increase scheduling priority | BUILTIN\Administrators |
Load and unload device drivers | BUILTIN\Administrators |
Lock pages in memory | |
Manage auditing and security log | BUILTIN\Administrators |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Restore files and directories | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |
Policy | Setting |
---|---|
Accounts: Guest account status | Disabled |
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Accounts: Rename administrator account | "X_Admin" |
Accounts: Rename guest account | "Visitor" |
Policy | Setting |
---|---|
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Policy | Setting |
---|---|
Interactive logon: Message text for users attempting to log on | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations., -At any time, the USG may inspect and seize data stored on this IS., -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose., -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy., -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. |
Interactive logon: Message title for users attempting to log on | "US Department of Defense Warning Statement" |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 4 logons |
Interactive logon: Smart card removal behavior | Lock Workstation |
Policy | Setting |
---|---|
Microsoft network client: Digitally sign communications (always) | Enabled |
Microsoft network client: Digitally sign communications (if server agrees) | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Policy | Setting |
---|---|
Microsoft network server: Digitally sign communications (always) | Enabled |
Microsoft network server: Digitally sign communications (if client agrees) | Enabled |
Policy | Setting |
---|---|
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Let Everyone permissions apply to anonymous users | Disabled |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Policy | Setting | ||||
---|---|---|---|---|---|
Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
Network security: LDAP client signing requirements | Negotiate signing | ||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
|
Policy | Setting |
---|---|
System cryptography: Force strong key protection for user keys stored on the computer | User must enter a password each time they use a key |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Enabled |
Policy | Setting |
---|---|
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
Policy | Setting |
---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
User Account Control: Detect application installations and prompt for elevation | Enabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Policy | Setting | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | ||||||||||||
Interactive logon: Machine inactivity limit | 900 seconds | ||||||||||||
Network access: Restrict clients allowed to make remote calls to SAM | "O:BAG:BAD:(A;;RC;;;BA)" | ||||||||||||
Network security: Allow Local System to use computer identity for NTLM | Enabled | ||||||||||||
Network security: Allow LocalSystem NULL session fallback | Disabled | ||||||||||||
Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | ||||||||||||
Network security: Configure encryption types allowed for Kerberos | Enabled | ||||||||||||
|
Policy | Setting |
---|---|
Audit Credential Validation | Success, Failure |
Policy | Setting |
---|---|
Audit Other Account Management Events | Success |
Audit Security Group Management | Success |
Audit User Account Management | Success, Failure |
Policy | Setting |
---|---|
Audit PNP Activity | Success |
Audit Process Creation | Success |
Policy | Setting |
---|---|
Audit Account Lockout | Failure |
Audit Group Membership | Success |
Audit Logoff | Success |
Audit Logon | Success, Failure |
Audit Special Logon | Success |
Policy | Setting |
---|---|
Audit Other Object Access Events | Success, Failure |
Audit Removable Storage | Success, Failure |
Policy | Setting |
---|---|
Audit Audit Policy Change | Success, Failure |
Audit Authentication Policy Change | Success |
Audit Authorization Policy Change | Success |
Policy | Setting |
---|---|
Audit Sensitive Privilege Use | Success, Failure |
Policy | Setting |
---|---|
Audit IPsec Driver | Success, Failure |
Audit Other System Events | Success, Failure |
Audit Security State Change | Success |
Audit Security System Extension | Success |
Audit System Integrity | Success, Failure |
Policy | Setting | Comment |
---|---|---|
Prevent enabling lock screen slide show | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Apply UAC restrictions to local accounts on network logons | Enabled | |||
Configure SMB v1 client driver | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Configure SMB v1 server | Disabled | |||
WDigest Authentication (disabling may require KB2871997) | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | |||
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled |
Policy | Setting | Comment |
---|---|---|
Enable insecure guest logons | Disabled |
Policy | Setting | Comment | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hardened UNC Paths | Enabled | |||||||||||||||
|
Policy | Setting | Comment |
---|---|---|
Include command line in process creation events | Enabled |
Policy | Setting | Comment | ||||||
---|---|---|---|---|---|---|---|---|
Turn On Virtualization Based Security | Enabled | |||||||
|
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Configure registry policy processing | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Turn off downloading of print drivers over HTTP | Enabled | |
Turn off printing over HTTP | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not display network selection UI | Enabled | |
Enumerate local users on domain-joined computers | Disabled |
Policy | Setting | Comment |
---|---|---|
Require a password when a computer wakes (on battery) | Enabled | |
Require a password when a computer wakes (plugged in) | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Restrict Unauthenticated RPC clients | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off Inventory Collector | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Disallow Autoplay for non-volume devices | Enabled | |||
Set the default behavior for AutoRun | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Enumerate administrator accounts on elevation | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Telemetry | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure Windows SmartScreen | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow drive redirection | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Always prompt for password upon connection | Enabled | |||||
Require secure RPC communication | Enabled | |||||
Set client connection encryption level | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Prevent downloading of enclosures | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow indexing of encrypted files | Disabled |
Policy | Setting | Comment |
---|---|---|
Allow user control over installs | Disabled | |
Always install with elevated privileges | Disabled |
Policy | Setting | Comment |
---|---|---|
Sign-in last interactive user automatically after a system-initiated restart | Disabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Turn on PowerShell Script Block Logging | Enabled | |||||
| ||||||
Policy | Setting | Comment | ||||
Turn on PowerShell Transcription | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow Digest authentication | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow WinRM from storing RunAs credentials | Enabled |