Local Policy DoD Windows 11 Computer STIG v1r6 | |
Data collected on: 3/7/2024 4:37:33 PM |
Domain | security.local |
Owner | SECURITY\Domain Admins |
Created | 3/7/2024 3:28:22 PM |
Modified | 3/7/2024 3:28:44 PM |
User Revisions | 1 (AD), 1 (SYSVOL) |
Computer Revisions | 1 (AD), 1 (SYSVOL) |
Unique ID | {8959CAAB-67D7-4694-9CA1-829DC5F8F406} |
GPO Status | User settings disabled |
Location | Enforced | Link Status | Path |
---|---|---|---|
None |
Name |
---|
NT AUTHORITY\Authenticated Users |
Name | Allowed Permissions | Inherited |
---|---|---|
NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
SECURITY\Domain Admins | Edit settings, delete, modify security | No |
SECURITY\Enterprise Admins | Edit settings, delete, modify security | No |
Policy | Setting |
---|---|
Enforce password history | 24 passwords remembered |
Maximum password age | 60 days |
Minimum password age | 1 days |
Minimum password length | 14 characters |
Password must meet complexity requirements | Enabled |
Store passwords using reversible encryption | Disabled |
Policy | Setting |
---|---|
Account lockout duration | 15 minutes |
Account lockout threshold | 3 invalid logon attempts |
Reset account lockout counter after | 15 minutes |
Policy | Setting |
---|---|
Access Credential Manager as a trusted caller | |
Access this computer from the network | BUILTIN\Administrators, BUILTIN\Remote Desktop Users |
Act as part of the operating system | |
Allow log on locally | BUILTIN\Administrators, BUILTIN\Users |
Back up files and directories | BUILTIN\Administrators |
Change the system time | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE |
Create a pagefile | BUILTIN\Administrators |
Create a token object | |
Create global objects | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE |
Create permanent shared objects | |
Create symbolic links | BUILTIN\Administrators |
Debug programs | BUILTIN\Administrators |
Deny access to this computer from the network | BUILTIN\Guests |
Deny log on as a service | |
Deny log on locally | BUILTIN\Guests |
Deny log on through Terminal Services | BUILTIN\Guests |
Enable computer and user accounts to be trusted for delegation | |
Force shutdown from a remote system | BUILTIN\Administrators |
Impersonate a client after authentication | NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Load and unload device drivers | BUILTIN\Administrators |
Lock pages in memory | |
Manage auditing and security log | BUILTIN\Administrators |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Restore files and directories | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |
Policy | Setting |
---|---|
Accounts: Administrator account status | Disabled |
Accounts: Guest account status | Disabled |
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Accounts: Rename administrator account | "X_Admin" |
Accounts: Rename guest account | "Visitor" |
Policy | Setting |
---|---|
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Policy | Setting |
---|---|
Interactive logon: Message text for users attempting to log on | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations., -At any time, the USG may inspect and seize data stored on this IS., -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose., -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy., -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. |
Interactive logon: Message title for users attempting to log on | "US Department of Defense Warning Statement" |
Interactive logon: Smart card removal behavior | Lock Workstation |
Policy | Setting |
---|---|
Microsoft network client: Digitally sign communications (always) | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Policy | Setting |
---|---|
Microsoft network server: Digitally sign communications (always) | Enabled |
Policy | Setting |
---|---|
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Let Everyone permissions apply to anonymous users | Disabled |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Policy | Setting | ||||
---|---|---|---|---|---|
Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
Network security: LDAP client signing requirements | Negotiate signing | ||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
|
Policy | Setting |
---|---|
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Enabled |
Policy | Setting |
---|---|
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
Policy | Setting |
---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
User Account Control: Detect application installations and prompt for elevation | Enabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Policy | Setting | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | ||||||||||||
Interactive logon: Machine inactivity limit | 900 seconds | ||||||||||||
Network access: Restrict clients allowed to make remote calls to SAM | "O:BAG:BAD:(A;;RC;;;BA)" | ||||||||||||
Network security: Allow LocalSystem NULL session fallback | Disabled | ||||||||||||
Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | ||||||||||||
Network security: Configure encryption types allowed for Kerberos | Enabled | ||||||||||||
|
Policy | Setting |
---|---|
Audit Credential Validation | Success, Failure |
Policy | Setting |
---|---|
Audit Security Group Management | Success |
Audit User Account Management | Success, Failure |
Policy | Setting |
---|---|
Audit PNP Activity | Success |
Audit Process Creation | Success, Failure |
Policy | Setting |
---|---|
Audit Account Lockout | Failure |
Audit Group Membership | Success |
Audit Logoff | Success |
Audit Logon | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success |
Policy | Setting |
---|---|
Audit Detailed File Share | Failure |
Audit File Share | Success, Failure |
Audit Other Object Access Events | Success, Failure |
Audit Removable Storage | Success, Failure |
Policy | Setting |
---|---|
Audit Audit Policy Change | Success |
Audit Authentication Policy Change | Success |
Audit Authorization Policy Change | Success |
Audit MPSSVC Rule-Level Policy Change | Success, Failure |
Audit Other Policy Change Events | Success, Failure |
Policy | Setting |
---|---|
Audit Sensitive Privilege Use | Success, Failure |
Policy | Setting |
---|---|
Audit IPsec Driver | Failure |
Audit Other System Events | Success, Failure |
Audit Security State Change | Success |
Audit Security System Extension | Success |
Audit System Integrity | Success, Failure |
Policy | Setting | Comment |
---|---|---|
Prevent enabling lock screen camera | Enabled | |
Prevent enabling lock screen slide show | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Apply UAC restrictions to local accounts on network logons | Enabled | |||
Configure SMB v1 client driver | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Configure SMB v1 server | Disabled | |||
Enable Structured Exception Handling Overwrite Protection (SEHOP) | Enabled | |||
Remove "Run As Different User" from context menus | Enabled | |||
WDigest Authentication (disabling may require KB2871997) | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | |||
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled |
Policy | Setting | Comment |
---|---|---|
Enable insecure guest logons | Disabled |
Policy | Setting | Comment |
---|---|---|
Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
ECC Curve Order | Enabled | |||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Minimize the number of simultaneous connections to the Internet or a Windows Domain | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services | Disabled |
Policy | Setting | Comment |
---|---|---|
Include command line in process creation events | Enabled |
Policy | Setting | Comment |
---|---|---|
Remote host allows delegation of non-exportable credentials | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Boot-Start Driver Initialization Policy | Enabled | |||
|
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Configure registry policy processing | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Turn off downloading of print drivers over HTTP | Enabled | |
Turn off Internet download for Web publishing and online ordering wizards | Enabled | |
Turn off printing over HTTP | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Support device authentication using certificate | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Enumeration policy for external devices incompatible with Kernel DMA Protection | Enabled | |||
|
Policy | Setting | Comment | ||||||
---|---|---|---|---|---|---|---|---|
Password Settings | Enabled | |||||||
|
Policy | Setting | Comment |
---|---|---|
Do not display network selection UI | Enabled | |
Turn on convenience PIN sign-in | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Minimum PIN length | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Require a password when a computer wakes (on battery) | Enabled | |
Require a password when a computer wakes (plugged in) | Enabled |
Policy | Setting | Comment |
---|---|---|
Configure Solicited Remote Assistance | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Restrict Unauthenticated RPC clients | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Let Windows apps activate with voice while the system is locked | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow Microsoft accounts to be optional | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Inventory Collector | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Disallow Autoplay for non-volume devices | Enabled | |||
Set the default behavior for AutoRun | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure enhanced anti-spoofing | Enabled |
Policy | Setting | Comment | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configure minimum PIN length for startup | Enabled | |||||||||||||||
| ||||||||||||||||
Policy | Setting | Comment | ||||||||||||||
Require additional authentication at startup | Enabled | |||||||||||||||
|
Policy | Setting | Comment |
---|---|---|
Turn off Microsoft consumer experiences | Enabled |
Policy | Setting | Comment |
---|---|---|
Enumerate administrator accounts on elevation | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Diagnostic Data | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Download Mode | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off Data Execution Prevention for Explorer | Disabled | |
Turn off heap termination on corruption | Disabled | |
Turn off shell protocol protected mode | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Disable Internet Explorer 11 as a standalone browser | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow drive redirection | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Always prompt for password upon connection | Enabled | |||||
Require secure RPC communication | Enabled | |||||
Set client connection encryption level | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Prevent downloading of enclosures | Enabled | |
Turn on Basic feed authentication over HTTP | Disabled |
Policy | Setting | Comment |
---|---|---|
Allow indexing of encrypted files | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure Windows Defender SmartScreen | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Enables or disables Windows Game Recording and Broadcasting | Disabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Use a hardware security device | Enabled | |||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Windows Ink Workspace | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow user control over installs | Disabled | |
Always install with elevated privileges | Disabled | |
Prevent Internet Explorer security prompt for Windows Installer scripts | Disabled |
Policy | Setting | Comment |
---|---|---|
Sign-in and lock last interactive user automatically after a restart | Disabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Turn on PowerShell Script Block Logging | Enabled | |||||
| ||||||
Policy | Setting | Comment | ||||
Turn on PowerShell Transcription | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow Digest authentication | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow WinRM from storing RunAs credentials | Enabled |