Windows Server 2012 Domain Controller - MSBS-Controls

Sr
Domain
1 No Windows services that are critical for
directory server operation must be
configured for automatic startup.
2 The system must be configured to audit

Object Access - File System failures.

Object Access - Central Access Policy
Staging failures.
4 The directory service must be configured

to terminate LDAP-based network
connections to the directory server after
five (5) minutes of inactivity.
5 Only administrators responsible for the
system must have Administrator rights on
the system.

DS Access - Directory Service Changes
failures.
7 Audit policy using subcategories must be

enabled.
8 The Deny log on through Remote Desktop

Services user right on domain controllers
must be configured to prevent
unauthenticated access.
9 The built-in guest account must be

disabled.
10 Local accounts with blank passwords must

be restricted to prevent access from the
network.
11 The built-in administrator account must

be renamed.
12 The built-in guest account must be

renamed.
13 Auditing the Access to Global System
Objects must be turned off.
14 The Deny log on locally user right on

domain controllers must be configured to
prevent unauthenticated access.
15 Unauthorized accounts must not have the

Create a token object user right.

Create global objects user right.

Change the time zone user right.

Create a pagefile user right.
Debug programs user right.

Create permanent shared objects user
right.

Create symbolic links user right.

DS Access - Directory Service Access
successes.
23 Named pipes that can be accessed

anonymously must be configured with
limited values on domain controllers.
24 Copying of user input methods to the

system account for sign-in must be
prevented.
25 The classic logon screen must be required

for user logons.
26 Windows Registration Wizard must be

turned off.
27 Search Companion must be prevented
from automatically downloading content
updates.
28 The Order Prints Online wizard must be

turned off.
29 The file and folder Publish to Web option

must be unavailable in Windows folders.
30 Windows Messenger must be prevented

from collecting anonymous information
about how the service is used.
31 The Windows Customer Experience

Improvement Program must be disabled.
32 The system must be configured to prevent

automatic forwarding of error
information.
33 Windows must be prevented from using

Windows Update to search for drivers.
34 The DoD Interoperability Root CA to DoD

Root CA 2 cross-certificate must be
installed into the Untrusted Certificates
Store.
35 The External CA root certificate must be

installed into the Trusted Root Store.
36 The DoD root certificate must be installed
into the Trusted Root Store.
37 The Windows Remote Management

(WinRM) service must not store RunAs
credentials.
38 Global object access auditing of the

registry must be configured to record
failures.
39 Global object access auditing of the file

system must be configured to record
failures.

System - System Integrity failures.

System - Security System Extension
failures.
System - System Integrity successes.
43 If the time service is configured, it must

use an authorized time server.
44 Domain controllers must require LDAP

access signing.
45 Remote Assistance log files must be

generated.

Detailed Tracking - Process Creation
successes.

Account Management - User Account
Management failures.
48 Auditing of Backup and Restore Privileges
must be turned off.
49 The system must limit how many times

unacknowledged TCP data is
retransmitted.
50 The system must generate an audit event

when the audit log reaches a percentage
of full threshold.
51 Separate, NSA-approved (Type 1)

cryptography must be used to protect the
directory data-in-transit for directory
service implementations at a classified
confidentiality level when replication data
traverses a network cleared to a lower
level than the data.
52 The system must be configured to disable

the Internet Router Discovery Protocol
(IRDP).
53 The system must be configured to use

Safe DLL Search Mode.
54 The system must be configured to have
password protection take effect within a
limited time frame when the screen saver
becomes active.
55 IPv6 TCP data retransmissions must be

configured to prevent resources from
becoming exhausted.
56 The system must be configured to limit

how often keep-alive packets are sent.
57 IPSec exemptions must be limited.
58 The system must be configured to ignore

NetBIOS name release requests except
from WINS servers.
59 The Peer Networking Identity Manager

service must be disabled if installed.
60 The Fax service must be disabled if
installed.
61 The Microsoft FTP service must not be
installed.
62 The Smart Card Removal Policy service
must be configured to automatic.
63 The directory server must be configured
to use the CAC, PIV-compliant hardware
token, or Alternate Logon Token (ALT) for
user authentication.
64 The Simple TCP/IP Services service must

be disabled if installed.
65 The Telnet service must be disabled if
installed.
66 The Remote Desktop Session Host must
require secure RPC communications.
67 Remote Desktop Services must limit users

to one remote session.
68 Users must be prevented from mapping

local COM ports and redirecting data from
the Remote Desktop Session Host to local
COM ports. (Remote Desktop Services
Role).
69 Users must be prevented from mapping

local LPT ports and redirecting data from
the Remote Desktop Session Host to local
LPT ports. (Remote Desktop Services
Role).
70 The system must be configured to ensure

smart card devices can be redirected to
the Remote Desktop session. (Remote
Desktop Services Role).
71 Users must be prevented from redirecting

Plug and Play devices to the Remote
Desktop Session Host. (Remote Desktop
Services Role).
72 Only the default client printer must be

redirected to the Remote Desktop Session
Host. (Remote Desktop Services Role).
73 The system must be configured to remove

the Disconnect option from the Shut
Down dialog box on the Remote Desktop
Client. (Remote Desktop Services Role).
Account Management - Security Group
75 The Active Directory Domain Controllers

Organizational Unit (OU) object must have
the proper access control permissions.
76 The IP-HTTPS IPv6 transition technology

must be disabled.
77 The ISATAP IPv6 transition technology

must be disabled.
78 Network Bridges must be prohibited in
Windows.
79 Domain users must be required to elevate

when setting a network's location.
80 All Direct Access traffic must be routed

through the internal network.
81 The 6to4 IPv6 transition technology must

be disabled.
82 The Mapper I/O network protocol

(LLTDIO) driver must be disabled.
83 The Responder network protocol driver

must be disabled.
84 Windows Peer-to-Peer Networking

Services must be turned off.

Shut down the system user right.

Restore files and directories user right.

Take ownership of files or other objects
user right.
88 Domain Controller PKI certificates must be
issued by the DoD PKI or an approved
External Certificate Authority (ECA).
89 User Account Control approval mode for

the built-in Administrator must be
enabled.
90 Domain created Active Directory

Organizational Unit (OU) objects must
have proper access control permissions.
91 Software certificate installation files must

be removed from a system.
92 Necessary services must be documented

to maintain a baseline to determine if
additional, unnecessary services have
been added to a system.
93 Servers must have a host-based Intrusion
Detection System.
94 The system must employ automated

mechanisms or must have an application
installed that, on an organization defined
frequency, determines the state of
information system components with
regard to flaw remediation.
95 The system must support automated

patch management tools to facilitate flaw
remediation to organization defined
information system components.
96 The system must query the certification

authority to determine whether a public
key certificate has been revoked before
accepting the certificate for
authentication purposes.
97 FTP servers must be configured to prevent

anonymous logons.
98 FTP servers must be configured to prevent

access to the system drive.
99 The Windows Firewall must log successful

connections for the Domain Profile.
100 The Windows Firewall must log dropped

packets for the Domain Profile.
101 The Windows Firewall must block unicast
responses to multicast or broadcast
messages for the Domain Profile.
102 The Windows Firewall must display

notifications when a program is blocked
from receiving an inbound connection for
the Domain Profile.
103 The Windows Firewall log size must be

configured for the Domain Profile.
104 The Windows Firewall log file name and

location must be configured for the
Domain Profile.
105 The system must notify antivirus when file

attachments are opened.
106 Mechanisms for removing zone

information from file attachments must
be hidden.
107 Media Player must be configured to
prevent automatic Codec downloads.
108 Users must be prevented from sharing

files in their profiles.
109 Unencrypted remote access to system
services must not be permitted.
110 Application account passwords must be

changed at least annually or when a
system administrator with knowledge of
the password leaves the organization.
111 Application account passwords must be at

least 15 characters in length.
112 Security configuration tools or equivalent

processes must be used to configure and
maintain platforms for security
compliance.
113 Shared user accounts must not be

permitted on the system.
114 User-level information must be backed up

per organization defined frequency
consistent with recovery time and
recovery point objectives.
115 System-level information must be backed

up per organization defined frequency
consistent with recovery time and
recovery point objectives.
116 System-related documentation must be

backed up per organization defined
frequency consistent with recovery time
and recovery point objectives.
117 Backups of system-level information must
be protected.
118 User Account Control must be configured

to detect application installations and
prompt for elevation.
119 Windows must elevate all applications in

User Account Control, not just signed
ones.
120 User Account Control must only elevate

UIAccess applications that are installed in
secure locations.
121 User Account Control must run all

administrators in Admin Approval Mode,
enabling UAC.
122 User Account Control must switch to the

secure desktop when prompting for
elevation.
123 User Account Control must virtualize file

and registry write failures to per-user
locations.
124 UIAccess applications must not be

allowed to prompt for elevation without
using the secure desktop.
125 Software certificate restriction policies

must be enforced.
126 Optional Subsystems must not be
permitted to operate on the system.
127 The print driver installation privilege must

be restricted to administrators.
128 The Active Directory AdminSDHolder

object must be configured with proper
audit settings.
129 The Synchronize directory service data

user right must be configured to include
no accounts or groups (blank).
Object Access - Handle Manipulation
failures.
131 The built-in Microsoft password

complexity filter must be enabled.
132 Reversible password encryption must be

disabled.
133 The number of allowed bad logon

attempts must meet minimum
requirements.
134 The period of time before the bad logon

counter is reset must meet minimum
requirements.
135 The lockout duration must be configured

to require an administrator to unlock an
account.
136 The minimum password age must meet

requirements.
137 Passwords must, at a minimum, be 14

characters.
138 The password uniqueness must meet

minimum requirements.
139 The maximum password age must meet

requirements.
140 The system must be configured to require

a strong session key.
141 The maximum age for machine account
passwords must be set to requirements.
142 The computer account password must not

be prevented from being reset.
143 Outgoing secure channel traffic must be

signed when possible.

encrypted when possible.

encrypted or signed.
146 Ejection of removable NTFS media must

be restricted to Administrators.
147 The Ctrl+Alt+Del security attention

sequence for logons must be enabled.

the display of the last username on the
logon screen.
149 Directory data (outside the root DSE) of a

non-public directory must be configured
to prevent anonymous access.
150 Permissions for the System event log must
prevent access by nonprivileged accounts.
151 Permissions for the Application event log

must prevent access by nonprivileged
accounts.
152 Permissions for the Security event log

must prevent access by nonprivileged
accounts.
153 Audit data of systems containing sources

and methods intelligence (SAMI) must be
retained for at least five years.
154 Audit records must be backed up on an

organization defined frequency onto a
different system or media than the system
being audited.
155 Audit data must be reviewed on a regular
basis.
156 Audit data must be retained for at least

one year.

Access Credential Manager as a trusted
caller user right.

Act as part of the operating system user
right.

Allow log on locally user right.

Adjust memory quotas for a process user
right.

Back up files and directories user right.

Allow log on through Remote Desktop
Services user right.
Change the system time user right.

Bypass traverse checking user right.
165 The Enhanced Mitigation Experience

Toolkit (EMET) must be installed on the
system.
166 The display must turn off after 20 minutes

of inactivity when the system is plugged
in.
167 The display must turn off after 20 minutes

of inactivity when the system is running
on battery.
168 The user must be prompted for a

password on resume from sleep (plugged
in).
169 Users must be prompted for a password

on resume from sleep (on battery).
170 App notifications on the lock screen must

be turned off.
171 Local users on domain-joined computers

must not be enumerated.
172 Solicited Remote Assistance must not be

allowed.
unsolicited remote assistance offers.
174 The Active Directory Infrastructure object

must be configured with proper audit
settings.

System - IPSec Driver failures.

System - Security State Change successes.
Privilege Use - Sensitive Privilege Use
successes.

System - IPSec Driver successes.

Privilege Use - Sensitive Privilege Use
failures.

System - Security System Extension
successes.

System - Security State Change failures.
182 The time synchronization tool must be
configured to enable logging of time
source switching.
183 Network shares that can be accessed

anonymously must not be allowed.
184 Anonymous access to Named Pipes and

Shares must be restricted.

the storage of passwords and credentials.
186 Anonymous enumeration of shares must

be restricted.
187 Anonymous enumeration of SAM

accounts must not be allowed.
188 Anonymous SID/Name translation must

not be allowed.
189 Unauthorized remotely accessible registry
paths and sub-paths must not be
configured.
190 Unauthorized remotely accessible registry

paths must not be configured.

anonymous users from having the same
rights as the Everyone group.
192 Anonymous access to the root DSE of a

non-public directory must be disabled.
193 The Application event log must be

configured to a minimum size
requirement.
194 The Security event log must be configured

to a minimum size requirement.
195 The Active Directory SYSVOL directory
must have the proper access control
permissions.
196 The System event log must be configured


Toolkit (EMET) Default Protections for
Recommended Software must be
enabled.

Popular Software must be enabled.
199 Automatic Updates must not be used
(unless configured to point to a DoD
server).

Toolkit (EMET) system-wide Structured
Exception Handler Overwrite Protection
(SEHOP) must be configured to
Application Opt Out.

(WinRM) service must not allow
unencrypted traffic.

(WinRM) service must not use Basic
authentication.

(WinRM) client must not use Digest
authentication.

(WinRM) client must not allow
unencrypted traffic.

(WinRM) client must not use Basic
authentication.
206 Windows Media Player must be

configured to prevent automatic checking
for updates.
207 Users must not be presented with Privacy
and Installation options on first use of
Windows Media Player.
208 Windows Media Digital Rights

Management (DRM) must be prevented
from accessing the Internet.
209 The Kerberos user ticket lifetime must be

limited to 10 hours or less.

the Private Profile.
211 The Windows SMB client must be

configured to always perform SMB packet
signing.
212 The Windows SMB client must be enabled

to perform SMB packet signing when
possible.
213 The Smart Card removal option must be

configured to Force Logoff or Lock
Workstation.
214 Caching of logon credentials must be
limited.
215 Users must be warned in advance of their

passwords expiring.
216 The required legal notice must be

configured to display before console
logon.
217 The Windows dialog box title for the legal

banner must be configured.
218 The machine account lockout threshold
must be set to 10 on systems with
BitLocker enabled.
219 The machine inactivity limit must be set

to 15 minutes, locking the system with the
screensaver.
220 Remote access to the Plug and Play

interface must be disabled for device
installation.
221 Optional component installation and
component repair must be prevented
from using Windows Update.
222 The Windows Connect Now wizards must

be disabled.
223 The configuration of wireless devices

using Windows Connect Now must be
disabled.
224 IP stateless autoconfiguration limits state

must be enabled.
225 The Teredo IPv6 transition technology

must be disabled.
226 Windows Update must be prevented from

searching for point and print drivers.
227 The Windows Firewall must be enabled

for the Domain Profile.
228 The Windows Firewall must allow
outbound connections, unless a rule
explicitly blocks the connection for the
Domain Profile.
229 The Windows Firewall must block

unsolicited inbound connections for the
Domain Profile.
230 Responsiveness events must be prevented

from being aggregated and sent to
Microsoft.
231 PKU2U authentication using online

identities must be prevented.
232 Microsoft Support Diagnostic Tool (MSDT)

interactive communication with Microsoft
must be prevented.
233 Access to Windows Online

Troubleshooting Service (WOTS) must be
prevented.
234 Unauthenticated RPC clients must be

restricted from connecting to the RPC
server.
235 The detection of compatibility issues for

applications and drivers must be turned
off.
DS Access - Directory Service Access
failures.
237 Client computers must be required to

authenticate for RPC communication.
238 Data files owned by users must be on a

different logical partition from the
directory server data files.
239 The Kerberos policy user ticket renewal

maximum lifetime must be limited to 7
days or less.

DS Access - Directory Service Changes
successes.

Logon/Logoff - Logon failures.
Logon/Logoff - Logoff successes.

Logon/Logoff - Logon successes.
244 NTLM must be prevented from falling

back to a Null session.
245 Time synchronization must be enabled on

the domain controller.
246 The system must be configured to use the

Classic security model.
247 Services using Local System that use

Negotiate when reverting to NTLM
authentication must use the computer
identity vs. authenticating anonymously.
248 The system must be configured to force
users to log off when their allowed logon
hours expire.
249 The LanMan authentication level must be

set to send NTLMv2 response only, and to
refuse LM and NTLM.
250 Kerberos encryption types must be

configured to prevent the use of DES
encryption suites.

the storage of the LAN Manager hash of
passwords.
252 The system must be configured to the

required LDAP client signing level.
253 The system must be configured to meet

the minimum session security
requirement for NTLM SSP-based clients.
254 The Windows Installer Always install with

elevated privileges option must be
disabled.
255 Users must be notified if a web-based
program attempts to install software.
256 Additional data requests in response to

Error Reporting must be declined.
257 Users must be prevented from changing
installation options.
258 Error Reporting events must be logged in

the system event log.

Replace a process level token user right.
260 The Windows Store application must be

turned off.
261 Microsoft Active Protection Service

membership must be disabled.

Modify firmware environment values user
right.

Perform volume maintenance tasks user
right.

Profile single process user right.
Profile system performance user right.

Log on as a batch job user right.

Manage auditing and security log user
right.
268 Users must be notified if the logon server

was inaccessible and cached credentials
were used.
269 The Setup event log must be configured

270 The Deny access to this computer from

the network user right on domain
controllers must be configured to prevent
unauthenticated access.

Private Profile.
272 Device metadata retrieval from the

Internet must be prevented.
273 Windows must be prevented from
sending an error report when a device
driver requests additional software during
installation.
274 An error report must not be sent when a

generic device driver is installed.
275 A system restore point must be created

when a new device driver is installed.
276 Users must not be prompted to search

Windows Update for device drivers.
277 Early Launch Antimalware, Boot-Start

Driver Initialization Policy must be
enabled and configured to only Good and
Unknown.
278 Device driver searches using Windows

Update must be prevented.
279 Device driver updates must only search

managed servers, not Windows Update.
280 Group Policy objects must be reprocessed

even if they have not changed.
281 Group Policies must be refreshed in the

background if the user is logged on.
282 Nonadministrators must be prevented

from applying vendor-signed updates.
Load and unload device drivers user right.

Modify an object label user right.
285 The Windows SmartScreen must be

turned off.
286 Explorer Data Execution Prevention must

be enabled.
287 Permissions for system drive root

directory (usually C:) must conform to
minimum requirements.
288 Permissions for program file directories
must conform to minimum requirements.
289 Local volumes must be formatted using

NTFS.
290 An approved DoD antivirus program must

be installed and used.
291 The antivirus program signature files must

be kept updated.
292 Active Directory Group Policy objects
settings.
293 Systems must be maintained at a

supported service pack level.
294 Permissions for Windows installation
directory must conform to minimum
requirements.
295 Password complexity software that

enforces DoD requirements must be
implemented.

Account Logon - Credential Validation
successes.

Account Logon - Credential Validation
failures.
298 Domain controllers must have a PKI server
certificate.
299 Active Directory Group Policy objects
must have proper access control
permissions.

Toolkit (EMET) system-wide Data
Execution Prevention (DEP) must be
enabled and configured to at least
Application Opt Out.
301 File Explorer shell protocol must run in
protected mode.
302 Turning off File Explorer heap termination

on corruption must be disabled.
303 Passwords must not be saved in the

Remote Desktop Client.
304 The location feature must be turned off.
305 Remote Desktop Services must always

prompt a client for passwords upon
connection.
306 Local drives must be prevented from

sharing with Remote Desktop Session
Hosts. (Remote Desktop Services Role).

Internet Control Message Protocol (ICMP)
redirects from overriding Open Shortest
Path First (OSPF) generated routes.

IP source routing.

Add workstations to domain user right.
310 The service principal name (SPN) target
name validation level must be turned off.
311 Users must be forcibly disconnected when

their logon hours expire.
312 IPv6 source routing must be configured to

the highest protection level.
313 Automatic logons must be disabled.
314 The amount of idle time required before

suspending a session must be properly
set.
315 Unencrypted passwords must not be sent

to a third-party SMB server.
316 The Windows SMB server must perform
SMB packet signing when possible.
317 The Windows SMB server must be

configured to always perform SMB packet
signing.
318 The computer clock synchronization

tolerance must be limited to 5 minutes or
less.
319 Active Directory data files must have

proper access control permissions.

connections for the Private Profile.

Increase scheduling priority user right.

for the Public Profile.

configured for the Private Profile.
packets for the Private Profile.

messages for the Private Profile.

location must be configured for the
Private Profile.

Internet Explorer must be enabled.

Toolkit (EMET) system-wide Address
Space Layout Randomization (ASLR) must
be enabled and configured to Application
Opt In.
329 The use of biometrics must be disabled.
330 Autoplay must be disabled for all drives.

331 The system must require username and
password to elevate a running application.
332 The password reveal button must not be

displayed.
333 The Application Compatibility Program

Inventory must be prevented from
collecting data and sending the
information to Microsoft.
334 Trusted app installation must be enabled

to allow for signed enterprise line of
business apps.
335 The default autorun behavior must be

configured to prevent autorun
commands.
336 Autoplay must be turned off for non-

volume devices.

configured for the Public Profile.

location must be configured for the Public
Profile.
339 The Windows Firewall local firewall rules

must not be merged with Group Policy
settings for the Public Profile.
340 The Windows Firewall local connection
rules must not be merged with Group
Policy settings for the Public Profile.

messages for the Public Profile.

the Public Profile.

Public Profile.

Public Profile.

Private Profile.
connections for the Public Profile.

packets for the Public Profile.
348 The Active Directory RID Manager$ object

settings.

Account Management - User Account
Management successes.
350 The Active Directory Domain object must
be configured with proper audit settings.

Account Logon - Computer Account

Account Management - Security Group
Account Management - Other Account
Management Events failures.

Logon/Logoff - Special Logon successes.
355 Users with administrative privilege must

be documented.

Object Access - Central Access Policy
Staging successes.

Enable computer and user accounts to be
trusted for delegation user right.
358 The Recovery Console option must be set

to prevent automatic logon to the system.
359 The system must be configured to meet

the minimum session security
requirement for NTLM SSP-based servers.
360 The shutdown option must not be
available from the logon dialog box.
361 The Recovery Console SET command must

be disabled.
362 The system must be configured to require

case insensitivity for non-Windows
subsystems.
363 The system must be configured to use

FIPS-compliant algorithms for encryption,
hashing, and signing.
364 Kerberos user logon restrictions must be

enforced.
365 The default permissions of global system

objects must be increased.
366 User Account Control must automatically

deny standard user requests for elevation.
367 User Account Control must, at minimum,

prompt administrators for consent.
368 Domain controllers must be configured to

allow reset of machine account
passwords.
369 Attachments must be prevented from

being downloaded from RSS feeds.
370 Remote Desktop Services must be
configured to use session-specific
temporary folders.

Lock pages in memory user right.
372 Basic authentication for RSS feeds over

HTTP must be turned off.

configured to disconnect an idle session
after the specified time period.

configured with the client connection
encryption set to the required level.
375 Remote Desktop Services must delete

temporary folders when a session is
terminated.

configured to set a time limit for
disconnected sessions.

Force shutdown from a remote system
user right.
378 Automatic download of updates from the

Windows Store must be turned off.
Increase a process working set user right.

Impersonate a client after authentication
user right.

Generate security audits user right.
382 PKI certificates associated with user

accounts must be issued by the DoD PKI
or an approved External Certificate
Authority (ECA).
383 The Active Directory Domain Controllers
Organizational Unit (OU) object must be
configured with proper audit settings.

Access this computer from the network
user right.
385 Standard user accounts must only have

Read permissions to the Winlogon registry
key.
386 Local administrator accounts must have
their privileged token filtered to prevent
elevated privileges from being used over
the network on domain systems.
387 Standard user accounts must only have

Read permissions to the Active
Setup\Installed Components registry key.
388 Anonymous access to the registry must be

restricted.
389 The Kerberos service ticket maximum

lifetime must be limited to 600 minutes or
less.
390 Root Certificates must not be updated

automatically from the Microsoft site.
391 Access to the Windows Store must be

turned off.
392 Event Viewer Events.asp links must be

turned off.
393 Downloading print driver packages over
HTTP must be prevented.
394 Errors in handwriting recognition on

tablet PCs must not be reported to
Microsoft.
395 Web publishing and online ordering

wizards must be prevented from
downloading a list of providers.
396 The Internet Connection Wizard must not

download a list of Internet Service
Providers (ISPs) from Microsoft.
397 Printing over HTTP must be prevented.
398 The Internet File Association service must

be turned off.
399 The directory server supporting (directly

or indirectly) system access or resource
authorization must run on a machine
dedicated to that function.
400 The Deny log on as a batch job user right
on domain controllers must be configured
to prevent unauthenticated access.
401 Accounts must require passwords.
402 Outdated or unused accounts must be

removed from the system.
403 System files must be monitored for

unauthorized changes.
404 System mechanisms must be
implemented to enforce automatic
expiration of passwords.
405 Virtual guest operating systems must be
registered in a vulnerability and asset
management system.
406 The system must not boot into multiple

operating systems (dual-boot).
407 Local users must not exist on a system in a
domain.
408 Nonadministrative user accounts or

groups must only have print permissions
on printer shares.
409 The HBSS McAfee Agent must be
installed.
410 File shares must limit access to data on a
system.
411 Windows Help Ratings feedback must be

turned off.
412 Zone information must be preserved

when saving attachments.
413 Toast notifications to the lock screen must
be turned off.
414 The Windows Help Experience

Improvement Program must be disabled.
415 Changing the screen saver must be

prevented.
416 Notifications from Windows Push

Network Service must be turned off.
417 A screen saver must be defined.
418 The screen saver must be password

protected.

for the Private Profile.
420 A screen saver must be enabled on the

system.
421 Policy must require that administrative

user accounts not be used with
applications that access the Internet, such
as web browsers, or with potential
Internet sources, such as email.
422 Members of the Backup Operators group
must have separate accounts for backup
duties and normal operational tasks.
423 System BIOS or system controllers

supporting password protection must
have administrator accounts/passwords
only configured, and no others.
424 The system must not use removable

media as the boot loader.
Account Logon - Computer Account
426 Server systems must be located in a

controlled access area.
427 Policy must require that system

administrators (SAs) be trained for the
operating systems used by systems under
their control.
428 Passwords for the built-in Administrator

account must be changed regularly.

Account Management - Other Account
Management Events successes.
430 Users with Administrative privileges must

have separate accounts for administrative
duties and normal operational tasks.
431 The Deny log on as a service user right
must be configured to include no
accounts or groups (blank).

Policy Change - Audit Policy Change
successes.

Policy Change - Audit Policy Change
failures.

Policy Change - Authentication Policy
Change successes.

Object Access - Registry failures.
Object Access - Removable Storage
successes.

Object Access - Removable Storage
failures.
Description
Active Directory (AD) is dependent on several Windows services. If one or more of
these services is not configured for automatic startup, AD functions may be partially
or completely unavailable until the services are manually started. This could result in
a failure to replicate data or to support client authentication and authorization
requests.
Maintaining an audit trail of system activity logs can help identify configuration
errors, troubleshoot service disruptions, and analyze compromises that have
occurred, as well as detect attacks. Audit logs are necessary to provide a trail of
evidence in case the system or network is compromised. Collecting this data is
essential for analyzing the security of information assets and detecting signs of
suspicious and unexpected behavior.
File System auditing under Object Access is used to enable the recording of events
related to the access and changing of files and directories. Auditing must also be
enabled on the specific file system objects to be audited.
Central Access Policy Staging auditing under Object Access is used to enable the
recording of events related to differences in permissions between central access
policies and proposed policies.
The failure to terminate inactive network connections increases the risk of a

successful attack on the directory server. The longer an established session is in
progress, the more time an attacker has to hijack the session, implement a means to
passively intercept data, or compromise any protections on client access. For
example, if an attacker gains control of a client computer, an existing (already
authenticated) session with the directory server could allow access to the directory.
The lack of confidentiality protection in LDAP-based sessions increases exposure to
this vulnerability.
An account that does not have Administrator duties must not have Administrator
rights. Such rights would allow the account to bypass or modify required security
restrictions on that machine and make it vulnerable to attack.
System administrators must log on to systems only using accounts with the minimum
level of authority necessary.
Standard user accounts must not be members of the built-in Administrators group.
occurred, as well as detecting attacks. Audit logs are necessary to provide a trail of
Audit directory service changes records events related to changes made to objects in
Active Directory Domain Services.
This setting allows administrators to enable more precise auditing capabilities.
Inappropriate granting of user rights can provide system, administrative, and other
high-level capabilities.
The "Deny log on through Remote Desktop Services" user right defines the accounts
that are prevented from logging on using Remote Desktop Services.
The Guests group must be assigned this right to prevent unauthenticated access.
A system faces an increased vulnerability threat if the built-in guest account is not
disabled. This account is a known account that exists on all Windows systems and
cannot be deleted. This account is initialized during the installation of the operating
system with no password assigned.
An account without a password can allow unauthorized access to a system as only

the username would be required. Password policies should prevent accounts with
blank passwords from existing on a system. However, if a local account with a blank
password did exist, enabling this setting will prevent network access, limiting the
account to local console logon only.
The built-in administrator account is a well-known account subject to attack.

Renaming this account to an unidentified name improves the protection of this
account and the system.
The built-in guest account is a well-known user account on all Windows systems and,
as initially installed, does not require a password. This can allow access to system
resources by unauthorized users. Renaming this account to an unidentified name
improves the protection of this account and the system.
This setting prevents the system from setting up a default system access control list
for certain system objects, which could create a very large number of security events,
filling the security log in Windows and making it difficult to identify actual issues.
The "Deny log on locally" user right defines accounts that are prevented from logging
on interactively.
The "Create a token object" user right allows a process to create an access token.
This could be used to provide elevated rights and compromise a system.
Accounts with the "Create global objects" user right can create objects that are
available to all sessions, which could affect processes in other users' sessions.
Accounts with the "Change the time zone" user right can change the time zone of a
system.
Accounts with the "Create a pagefile" user right can change the size of a pagefile,
which could affect system performance.
Accounts with the "Debug programs" user right can attach a debugger to any process
or to the kernel, providing complete access to sensitive and critical operating system
components. This right is given to Administrators in the default configuration.
Accounts with the "Create permanent shared objects" user right could expose
sensitive data by creating shared objects.
Accounts with the "Create symbolic links" user right can create pointers to other
objects, which could potentially expose the system to attack.
Audit directory service access records events related to users accessing an Active
Directory object.
Named pipes that can be accessed anonymously provide the potential for gaining
unauthorized system access. Pipes are internal system communications processes.
They are identified internally by ID numbers that vary between systems. To make
access to these processes easier, these pipes are given names that do not vary
between systems. This setting controls which of these pipes anonymous users may
access.
Allowing different input methods for sign-in could open different avenues of attack.
User input methods must be restricted to those enabled for the system account at
sign-in.
The classic logon screen requires users to enter a logon name and password to access
a system. The simple logon screen or Welcome screen displays usernames for
selection, providing part of the necessary logon information.
Some features may communicate with the vendor, sending system information or
downloading data or components for the feature. Turning off this capability will
prevent potentially sensitive information from being sent outside the enterprise and
uncontrolled updates to the system.
This setting prevents the Windows Registration Wizard from online registration.
This setting prevents the Search Companion from automatically downloading content
updates during local and Internet searches.
This setting ensures the "Order Prints Online" task is not available in File Explorer.
Allowing the option to publish to the web from File and Folder tasks in Windows
folders could allow sensitive information to be exposed.
This setting prevents Windows Messenger from collecting anonymous information
about how the Windows Messenger software and service is used.
This setting ensures the Windows Customer Experience Improvement Program is
disabled so information is not passed to the vendor.
This setting controls the reporting of errors to Microsoft and, if defined, a corporate
error reporting site. This does not interfere with the reporting of errors to the local
user. Since the contents of memory are included in this error report, sensitive
information may be transmitted to Microsoft. This feature must be disabled to
prevent the release of such information.
This setting prevents Windows from searching Windows Update for device drivers
when no local drivers for a device are present.
To ensure users do not experience denial of service when performing certificate-

based authentication to DoD websites due to the system chaining to a root other
than DoD Root CA 2, the DoD Interoperability Root CA to DoD Root CA 2 cross-
certificate must be installed in the Untrusted Certificate Store.
To ensure secure websites protected with ECA server certificates are properly
validated, the system must trust the ECA Root CA 2. The ECA root certificate will
ensure the trust chain is established for server certificates issued from the External
CA.
To ensure secure DoD websites and DoD signed code are properly validated, the
system must trust the DoD Root CA 2. The DoD root certificate will ensure that the
trust chain is established for server certificates issued from the DoD CA.
Storage of administrative credentials could allow unauthorized access. Disallowing
the storage of RunAs credentials for Windows Remote Management will prevent
them from being used with plug-ins.
Improper modification of the registry can have a significant impact on the security
configuration of a system, as well as potentially rendering a system inoperable.
Failed access attempts may indicate an attack on a system. Auditing for failed access
attempts provides an indicator of such attempts and a method of determining
responsible parties.
Improper modification of system files can have a significant impact on the security
configuration of a system, as well as potentially rendering a system inoperable.
Failed access attempts may indicate an attack on a system. Auditing for failed access
attempts provides an indicator of such attempts and a method of determining
responsible parties.
System Integrity records events related to violations of integrity to the security

subsystem.
Security System Extension records events related to extension code being loaded by
the security subsystem.
System Integrity records events related to violations of integrity to the security

subsystem.
The Windows Time Service controls time synchronization settings. Time

synchronization is essential for authentication and auditing purposes. If the
Windows Time Service is used, it must synchronize with a secure, authorized time
source. Domain-joined systems are automatically configured to synchronize with
domain controllers. If an NTP server is configured, it must synchronize with a secure,
authorized time source.
Unsigned network traffic is susceptible to man in the middle attacks where an

intruder captures packets between the server and the client and modifies them
before forwarding them to the client. In the case of an LDAP server, this means that
an attacker could cause a client to make decisions based on false records from the
LDAP directory. You can lower the risk of an attacker pulling this off in a corporate
network by implementing strong physical security measures to protect the network
infrastructure. Furthermore, implementing Internet Protocol security (IPSec)
authentication header mode (AH), which performs mutual authentication and packet
integrity for Internet Protocol (IP) traffic, can make all types of man in the middle
attacks extremely difficult.
occurred, as well as detect attacks. This setting will turn on session logging for
Remote Assistance connections.
Process Creation records events related to the creation of a process and the source.
User Account Management records events such as creating, changing, deleting,

renaming, disabling, or enabling user accounts.
This setting prevents the system from generating audit events for every file backed up
or restored, which could fill the security log in Windows, making it difficult to identify
actual issues.
In a SYN flood attack, the attacker sends a continuous stream of SYN packets to a
server, and the server leaves the half-open connections open until it is overwhelmed
and is no longer able to respond to legitimate requests.
When the audit log reaches a given percent full, an audit event is written to the
security log. It is recorded as a successful audit event under the category of System.
This option may be especially useful if the audit logs are set to be cleared manually.
Commercial-grade encryption does not provide adequate protection when the

classification level of directory data in transit is higher than the level of the network
or when sources and methods intelligence (SAMI) data is included.
The Internet Router Discovery Protocol (IRDP) is used to detect and configure default
gateway addresses on the computer. If a router is impersonated on a network, traffic
could be routed through the compromised system.
The default search behavior, when an application calls a function in a Dynamic Link
Library (DLL), is to search the current directory, followed by the directories contained
in the system's path environment variable. An unauthorized DLL, inserted into an
application's working directory, could allow malicious code to be run on the system.
Setting this policy value forces the system to search the %Systemroot% for the DLL
before searching the current directory or the rest of the path.
Allowing more than several seconds makes the computer vulnerable to a potential
attack from someone walking up to the console to attempt to log on to the system
before the lock takes effect.
Configuring Windows to limit the number of times that IPv6 TCP retransmits
unacknowledged data segments before aborting the attempt helps prevent resources
from becoming exhausted.
This setting controls how often TCP sends a keep-alive packet in attempting to verify
that an idle connection is still intact. A higher value could allow an attacker to cause
a denial of service with numerous connections.
IPSec exemption filters allow specific traffic that may be needed by the system for
such things as Kerberos authentication. This setting configures Windows for specific
IPSec exemptions.
Configuring the system to ignore name release requests, except from WINS servers,
prevents a denial of service (DoS) attack. The DoS consists of sending a NetBIOS
name release request to the server for each entry in the server's cache, causing a
response delay in the normal operation of the servers WINS resolution capability.
Unnecessary services increase the attack surface of a system. Some of these services
may not support required levels of authentication or encryption.
The automatic start of the Smart Card Removal Policy service is required to support
the smart card removal behavior requirement.
PKI is a two-factor authentication technique, thus it provides a higher level of trust in
the asserted identity than use of the username/password authentication technique.
Allowing unsecure RPC communication exposes the system to man-in-the-middle
attacks and data disclosure attacks. A man-in-the-middle attack occurs when an
intruder captures packets between a client and server and modifies them before
allowing the packets to be exchanged. Usually the attacker will modify the
information in the packets in an attempt to cause either the client or server to reveal
sensitive information.
Allowing multiple Remote Desktop Services sessions could consume resources.

There is also potential to make a secondary connection to a system with
compromised credentials.
Preventing the redirection of Remote Desktop session data to a client computer's

COM ports helps reduce possible exposure of sensitive data.
Preventing the redirection of Remote Desktop session data to a client computer's LPT
ports helps reduce possible exposure of sensitive data.
Enabling the redirection of smart card devices allows their use within Remote
Desktop sessions.
Preventing the redirection of Plug and Play devices in Remote Desktop sessions helps
reduce possible exposure of sensitive data.
Allowing the redirection of only the default client printer to a Remote Desktop
session helps reduce possible exposure of sensitive data.
Removing the Disconnect option from the Shut Down dialog box for Remote Desktop
sessions helps prevent disconnected but active sessions from continuing to run and
using resources.
Security Group Management records events such as creating, deleting, or changing

security groups, including changes in group members.
When directory service database objects do not have appropriate access control
permissions, it may be possible for malicious users to create, read, update, or delete
the objects and degrade or destroy the integrity of the data. When the directory
service is used for identification, authentication, or authorization functions, a
compromise of the database objects could lead to a compromise of all systems that
rely on the directory service.
For Active Directory (AD), the Organizational Unit (OU) objects require special
attention. In a distributed administration model (i.e., help desk), OU objects are more
likely to have access permissions changed from the secure defaults. If inappropriate
access permissions are defined for OU objects, it could allow an intruder to add or
delete users in the OU. This could result in unauthorized access to data or a Denial of
Service to authorized users.
IPv6 transition technologies, which tunnel packets through other protocols, do not
provide visibility.
provide visibility.
A Network Bridge can connect two or more network segments, allowing
unauthorized access or exposure of sensitive data. This setting prevents a Network
Bridge from being installed and configured.
Selecting an incorrect network location may allow greater exposure of a system.

Elevation is required by default on nondomain systems to change network location.
This setting configures elevation to also be required on domain-joined systems.
Routing all Direct Access traffic through the internal network allows monitoring and
prevents split tunneling.
provide visibility.
The Mapper I/O network protocol (LLTDIO) driver allows the discovery of the
connected network and allows various options to be enabled. Disabling this helps
protect the system from potentially discovering and connecting to unauthorized
devices.
The Responder network protocol driver allows a computer to be discovered and

located on a network. Disabling this helps protect the system from potentially being
discovered and connected to by unauthorized devices.
Peer-to-Peer applications can allow unauthorized access to a system and exposure of
sensitive data. This setting will turn off the Microsoft Peer-to-Peer Networking
Service.
Accounts with the "Shut down the system" user right can interactively shut down a
system, which could result in a DoS.
Accounts with the "Restore files and directories" user right can circumvent file and
directory permissions and could allow access to sensitive data. It could also be used
to overwrite more current data.
Accounts with the "Take ownership of files or other objects" user right can take
ownership of objects and make changes.
A PKI implementation depends on the practices established by the Certificate
Authority (CA) to ensure the implementation is secure. Without proper practices, the
certificates issued by a CA have limited value in authentication functions. The use of
multiple CAs from separate PKI implementations results in interoperability issues. If
servers and clients do not have a common set of root CA certificates, they are not
able to authenticate each other.
User Account Control (UAC) is a security mechanism for limiting the elevation of
privileges, including administrative accounts, unless authorized. This setting
configures the built-in Administrator account so that it runs in Admin Approval Mode.
compromise of the database objects could lead to a compromise of all systems that
rely on the directory service.
For Active Directory (AD), the Organizational Unit (OU) objects require special
attention. In a distributed administration model (i.e., help desk), OU objects are
more likely to have access permissions changed from the secure defaults. If
inappropriate access permissions are defined for OU objects, it could allow an
intruder to add or delete users in the OU. This could result in unauthorized access to
data or a Denial of Service to authorized users.
Use of software certificates and their accompanying installation files for end users to
access resources is less secure than the use of hardware-based certificates.
Unnecessary services increase the attack surface of a system. Some services may be
run under the local System account, which generally has more permissions than
required by the service. Compromising a service could allow an intruder to obtain
system permissions and open the system to a variety of attacks.
A properly configured host-based Intrusion Detection System provides another level
of defense against unauthorized access to critical servers. With proper configuration
and logging enabled, such a system can stop and/or alert for many attempts to gain
unauthorized access to resources.
Organizations are required to identify information systems containing software

affected by recently announced software flaws (and potential vulnerabilities resulting
from those flaws) and report this information to designated organizational officials
with information security responsibilities (e.g., senior information security officers,
information system security managers, information systems security officers). To
support this requirement, an automated process or mechanism is required.
The organization (including any contractor to the organization) must promptly install
security-relevant software updates (e.g., patches, service packs, hot fixes). Flaws
discovered during security assessments, continuous monitoring, incident response
activities, or information system error handling must also be addressed.
Failure to verify a certificate's revocation status can result in the system accepting a
revoked, and therefore unauthorized, certificate. This could result in the installation
of unauthorized software or a connection for rogue networks, depending on the use
for which the certificate is intended. Querying for certificate revocation mitigates
the risk that the system will accept an unauthorized certificate.
The FTP (File Transfer Protocol) service allows remote users to access shared files and
directories. Allowing anonymous FTP connections makes user auditing difficult.
Using accounts that have administrator privileges to log on to FTP risks that the
userid and password will be captured on the network and give administrator access
to an unauthorized user.
The FTP service allows remote users to access shared files and directories which
could provide access to system resources and compromise the system, especially if
the user can gain access to the root directory of the boot drive.
A firewall provides a line of defense against attack. To be effective, it must be
enabled and properly configured. Logging of successful connections for a domain
connection will be enabled to maintain an audit trail if issues are discovered.

enabled and properly configured. Logging of dropped packets for a domain
connection will be enabled to maintain an audit trail of potential issues.
enabled and properly configured. Unicast responses to multicast or broadcast
messages in the domain will be blocked. This helps minimize the risk of an attacker
using broadcast or multicast traffic to deliver malicious payloads.

enabled and properly configured. The display of notifications to the user when a
program is blocked from receiving an inbound connection in the domain must be
enabled to alert the user of potential issues.

enabled and properly configured. The firewall log file size for a domain connection
will be set to ensure enough capacity is allocated for audit data.

enabled and properly configured. The location and file name of the firewall log for a
domain connection will be defined to ensure the logs are maintained.
Attaching malicious files is a known avenue of attack. This setting configures the
system to notify antivirus programs when a user opens a file attachment.
Preserving zone of origin (Internet, intranet, local, restricted) information on file

attachments allows Windows to determine risk. This setting prevents users from
manually removing zone information from saved file attachments.
The Windows Media Player uses software components, referred to as Codecs, to play
back media files. By default, when an unknown file type is opened with the Media
Player, it will search the Internet for the appropriate Codec and automatically
download it. To ensure platform consistency and to protect against new
vulnerabilities associated with media types, all Codecs must be installed by the
System Administrator.
Allowing users to share files in their profiles may provide unauthorized access or
result in the exposure of sensitive data.
Unencrypted access to system services may permit an intruder to intercept user
identification and passwords that are being transmitted in clear text. This could give
an intruder unlimited access to the network.
Setting application accounts to expire may cause applications to stop functioning.

However, not changing them on a regular basis exposes them to attack. The site will
have a policy that application account passwords are changed at least annually or
when a system administrator with knowledge of the password leaves the
organization.
Application/service account passwords must be of sufficient length to prevent being

easily cracked. Application/service accounts that are manually managed must have
passwords at least 15 characters in length.
Security configuration tools such as Group Policies and Security Templates allow
system administrators to consolidate security-related system settings into a single
configuration file. These settings can then be applied consistently to any number of
Windows machines.
Shared accounts (accounts where two or more people log in with the same user
identification) do not provide adequate identification and authentication. There is no
way to provide for nonrepudiation or individual accountability for system access and
resource usage. Documentation must include a list of personnel that have access to
each shared account.
Operating system backup is a critical step in maintaining data assurance and

availability.
User-level information is data generated by information system and/or application

users.
Backups shall be consistent with organizational recovery time and recovery point
objectives.

availability.
System-level information includes system-state information, operating system and

application software, and licenses.
Backups must be consistent with organizational recovery time and recovery point
objectives.

availability.
Information system and security-related documentation contains information

pertaining to system configuration and security settings.
Backups shall be consistent with organizational recovery time and recovery point
objectives.
A system backup will usually include sensitive information such as user accounts that
could be used in an attack. As a valuable system resource, the system backup must
be protected and stored in a physically secure location.
privileges, including administrative accounts, unless authorized. This setting requires
Windows to respond to application installation requests by prompting for credentials.
configures whether Windows elevates all applications, or only signed ones.
configures Windows to only allow applications installed in a secure location on the
file system, such as the Program Files or the Windows\System32 folders, to run with
elevated privileges.
privileges, including administrative accounts, unless authorized. This setting enables
UAC.
privileges, including administrative accounts, unless authorized. This setting ensures
that the elevation prompt is only used in secure desktop mode.
configures non-UAC-compliant applications to run in virtualized file and registry
entries in per-user locations, allowing them to run.
privileges, including administrative accounts, unless authorized. This setting prevents
User Interface Accessibility programs from disabling the secure desktop for elevation
prompts.
Software restriction policies help to protect users and computers from executing
unauthorized code such as viruses and Trojans horses. This setting must be enabled
to enforce certificate rules in software restriction policies.
The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE)
standard that defines a set of operating system services. The POSIX Subsystem is
required if the server supports applications that use that subsystem. The subsystem
introduces a security risk relating to processes that can potentially persist across
logins. That is, if a user starts a process and then logs out, there is a potential that
the next user who logs in to the system could access the previous users process. This
is dangerous because the process started by the first user may retain that users
system privileges, and anything the second user does with that process will be
performed with the privileges of the first user.
Allowing users to install drivers can introduce malware or cause the instability of a
system. This capability should be restricted to administrators.
When inappropriate audit settings are configured for directory service database
objects, it may be possible for a user or process to update the data without
generating any tracking data. The impact of missing audit data is related to the type
of object. A failure to capture audit data for objects used by identification,
authentication, or authorization functions could degrade or eliminate the ability to
track changes to access policy for systems or data.
For Active Directory (AD), there are a number of critical object types in the domain
naming context of the AD database for which auditing is essential. This includes the
AdminSDHolder object. Because changes to these objects can significantly impact
access controls or the availability of systems, the absence of auditing data makes it
impossible to identify the source of changes that impact the confidentiality, integrity,
and availability of data and systems throughout an AD domain. The lack of proper
auditing can result in insufficient forensic evidence needed to investigate an incident
and prosecute the intruder.
A Windows account with the "Synchronize directory service data" right has the ability
to read all information in the AD database. This bypasses the object access
permissions that would otherwise restrict access to the data. The scope of access
granted by this right is too broad for secure usage. Specific object permissions or
other group membership assignments could be used to provide access on an
appropriate scale.
Handle Manipulation auditing under Object Access is needed to correctly enable the
recording of events related to the access and changing of files and directories.
Auditing must also be enabled on the specific file system objects to be audited.
The use of complex passwords increases their strength against guessing and brute-
force attacks. This setting configures the system to verify that newly created
passwords conform to the Windows password complexity policy.
Storing passwords using reversible encryption is essentially the same as storing clear-
text versions of the passwords. For this reason, this policy must never be enabled.
The account lockout feature, when enabled, prevents brute-force password attacks
on the system. The higher this value is, the less effective the account lockout feature
will be in protecting the local system. The number of bad logon attempts must be
reasonably small to minimize the possibility of a successful password attack, while
allowing for honest errors made during a normal user logon.
on the system. This parameter specifies the period of time that must pass after failed
logon attempts before the counter is reset to 0. The smaller this value is, the less
effective the account lockout feature will be in protecting the local system.
on the system. This parameter specifies the period of time that an account will
remain locked after the specified number of failed logon attempts. A value of 0 will
require an administrator to unlock the account.
Permitting passwords to be changed in immediate succession within the same day

allows users to cycle passwords through their history database. This enables users to
effectively negate the purpose of mandating periodic password changes.
Information systems not protected with strong password schemes (including
passwords of minimum length) provide the opportunity for anyone to crack the
password, thus gaining access to the system and compromising the device,
information, or the local network.
A system is more vulnerable to unauthorized access when system users recycle the
same password several times without being required to change to a unique password
on a regularly scheduled basis. This enables users to effectively negate the purpose
of mandating periodic password changes.
The longer a password is in use, the greater the opportunity for someone to gain
unauthorized knowledge of the passwords. Scheduled changing of passwords
hinders the ability of unauthorized system users to crack passwords and gain access
to a system.
A computer connecting to a domain controller will establish a secure channel.

Requiring strong session keys enforces 128-bit encryption between systems.
Computer account passwords are changed automatically on a regular basis. This
setting controls the maximum password age that a machine account may have. This
setting must be set to no more than 30 days, ensuring the machine changes its
password monthly.
Computer account passwords are changed automatically on a regular basis.

Disabling automatic password changes can make the system more vulnerable to
malicious access. Frequent password changes can be a significant safeguard for your
system. A new password for the computer account will be generated every 30 days.
Requests sent on the secure channel are authenticated, and sensitive information
(such as passwords) is encrypted, but the channel is not integrity checked. If this
policy is enabled, outgoing secure channel traffic will be signed.
(such as passwords) is encrypted, but not all information is encrypted. If this policy is
enabled, outgoing secure channel traffic will be encrypted.
(such as passwords) is encrypted, but not all information is encrypted. If this policy is
enabled, outgoing secure channel traffic will be encrypted and signed.
Removable hard drives, if they are not properly configured, can be formatted and
ejected by users who are not members of the Administrators Group. Formatting and
ejecting removable NTFS media must only be done by administrators.
Disabling the Ctrl+Alt+Del security attention sequence can compromise system

security. Because only Windows responds to the Ctrl+Alt+Del security sequence, a
user can be assured that any passwords entered following that sequence are sent
only to Windows. If the sequence requirement is eliminated, malicious programs can
request and receive a user's Windows password. Disabling this sequence also
suppresses a custom logon banner.
Displaying the username of the last logged on user provides half of the
userid/password equation that an unauthorized person would need to gain access.
The username of the last user to log on to a system must not be displayed.
To the extent that anonymous access to directory data (outside the root DSE) is
permitted, read access control of the data is effectively disabled. If other means of
controlling access (such as, network restrictions) are compromised, there may be
nothing else to protect the confidentiality of sensitive directory data.
evidence in case the system or network is compromised. The System event log may
be susceptible to tampering if proper permissions are not applied.
evidence in case the system or network is compromised. The Application event log
may be susceptible to tampering if proper permissions are not applied.
evidence in case the system or network is compromised. The Security event log may
disclose sensitive information or be susceptible to tampering if proper permissions
are not applied.
Audit records are essential for investigating system activity after the fact. Retention
periods for audit data are determined based on the sensitivity of the data handled by
the system.
Protection of log data includes assuring the log data is not accidentally lost or
deleted. Backing up audit records to a different system or onto separate media than
the system being audited on an organization defined frequency helps to assure in the
event of a catastrophic system failure, the audit records will be retained.
To be of value, audit logs from critical systems must be reviewed on a regular basis.
Critical systems should be reviewed on a daily basis to identify security breaches and
potential weaknesses in the security structure. This can be done with the use of
monitoring software or other utilities for this purpose.
Audit records are essential for investigating system activity after the fact. Retention
periods for audit data are determined based on the sensitivity of the data handled by
the system.
Accounts with the "Access Credential Manager as a trusted caller" user right may be
able to retrieve the credentials of other accounts from Credential Manager.
Accounts with the "Act as part of the operating system" user right can assume the
identity of any user and gain access to resources that user is authorized to access.
Any accounts with this right can take complete control of a system.
Accounts with the "Allow log on locally" user right can log on interactively to a
system.
Accounts with the "Adjust memory quotas for a process" user right can adjust
memory that is available to processes, and could be used in a denial of service (DoS)
attack.
Accounts with the "Back up files and directories" user right can circumvent file and
directory permissions and could allow access to sensitive data.
Accounts with the "Allow log on through Remote Desktop Services" user right can
access a system through Remote Desktop.
Accounts with the "Change the system time" user right can change the system time,
which can impact authentication, as well as affect time stamps on event log entries.
Accounts with the "Bypass traverse checking" user right can pass through folders
when browsing even if they do not have the "Traverse Folder" access permission.
They could potentially view sensitive file and folder names. They would not have
additional access to the files and folders unless it is granted through permissions.
Attackers are constantly looking for vulnerabilities in systems and applications. The
Enhanced Mitigation Experience Toolkit can enable several mechanisms, such as Data
Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and
Structured Exception Handler Overwrite Protection (SEHOP) on the system and
applications, adding additional levels of protection.
Turning off an inactive display supports energy saving initiatives.
Turning off an inactive display supports energy saving initiatives. It may also extend
availability on systems running on a battery.
Authentication must always be required when accessing a system. This setting

ensures the user is prompted for a password on resume from sleep (plugged in).
Authentication must always be required when accessing a system. This setting

ensures the user is prompted for a password on resume from sleep (on battery).
App notifications that are displayed on the lock screen could display sensitive
information to unauthorized personnel. Turning off this feature will limit access to
the information to a logged on user.
The username is one part of logon credentials that could be used to gain access to a
system. Preventing the enumeration of users limits this information to authorized
personnel.
Remote assistance allows another user to view or take control of the local session of
a user. Solicited assistance is help that is specifically requested by the local user. This
may allow unauthorized parties access to the resources on the computer.
Remote assistance allows another user to view or take control of the local session of
a user. Unsolicited remote assistance is help that is offered by the remote user. This
may allow unauthorized parties access to the resources on the computer.
Infrastructure object. Because changes to these objects can significantly impact
IPSec Driver records events related to the IPSec Driver such as dropped packets.
Security State Change records events related to changes in the security state, such as
startup and shutdown of the system.
Sensitive Privilege Use records events related to use of sensitive privileges, such as
"Act as part of the operating system" or "Debug programs".
IPSec Driver records events related to the IPSec Driver such as dropped packets.
Sensitive Privilege Use records events related to use of sensitive privileges, such as
"Act as part of the operating system" or "Debug programs".
Security System Extension records events related to extension code being loaded by
the security subsystem.
Security State Change records events related to changes in the security state, such as
startup and shutdown of the system.
When a time synchronization tool executes, it may switch between time sources
according to network or server contention. If switches between time sources are not
logged, it may be difficult or impossible to detect malicious activity or availability
problems.
Anonymous access to network shares provides the potential for gaining unauthorized
system access by network users. This could lead to the exposure or corruption of
sensitive data.
Allowing anonymous access to named pipes or shares provides the potential for
unauthorized system access. This setting restricts access to those defined in
"Network access: Named Pipes that can be accessed anonymously" and "Network
access: Shares that can be accessed anonymously", both of which must be blank
under other requirements.
This setting controls the storage of passwords and credentials for network
authentication on the local system. Such credentials must not be stored on the local
machine, as that may lead to account compromise.
Allowing anonymous logon users (null session connections) to list all account names
and enumerate all shared resources can provide a map of potential points to attack
the system.
Anonymous enumeration of SAM accounts allows anonymous log on users (null

session connections) to list all accounts names, thus providing a list of potential
points to attack the system.
Allowing anonymous SID/Name translation can provide sensitive information for

accessing a system. Only authorized users must be able to perform such translations.
The registry is integral to the function, security, and stability of the Windows system.
Some processes may require remote access to the registry. This setting controls
which registry paths and sub-paths are accessible from a remote computer. These
registry paths must be limited, as they could give unauthorized individuals access to
the registry.
Some processes may require remote access to the registry. This setting controls
which registry paths are accessible from a remote computer. These registry paths
must be limited, as they could give unauthorized individuals access to the registry.
Access by anonymous users must be restricted. If this setting is enabled, then

anonymous users have the same rights and permissions as the built-in Everyone
group. Anonymous users must not have these permissions or rights.
Allowing anonymous access to the root DSE data on a directory server provides
potential attackers with a number of details about the configuration and data
contents of a directory. For example, the namingContexts attribute indicates the
directory space contained in the directory; the supportedLDAPVersion attribute
indicates which versions of the LDAP protocol the server supports; and the
supportedSASLMechanisms attribute indicates the names of supported
authentication mechanisms. An attacker with this information may be able to select
more precisely targeted attack tools or higher value targets.
Inadequate log size will cause the log to fill up quickly and require frequent clearing
by administrative personnel.
Improper access permissions for directory data files could allow unauthorized users
to read, modify, or delete directory data.
The SYSVOL directory contains public files (to the domain) such as policies and logon
scripts. Data in shared subdirectories are replicated to all domain controllers in a
domain.
Uncontrolled system updates can introduce issues to a system. The system must be
configured to prevent Automatic Updates from being run unless directed to a DoD
Windows Server Update Services (WSUS) server.
Unencrypted remote access to a system can allow sensitive information to be

compromised. Windows remote management connections must be encrypted to
prevent this.
Basic authentication uses plain text passwords that could be used to compromise a
system.
Digest authentication is not as strong as other options and may be subject to man-in-
the-middle attacks.
Unencrypted remote access to a system can allow sensitive information to be

compromised. Windows remote management connections must be encrypted to
prevent this.
system.
Uncontrolled system updates can introduce issues to a system. The automatic check
for updates performed by Windows Media Player must be disabled to ensure a
constant platform and to prevent the introduction of unknown\untested software on
the system.
This setting prevents users from being presented with Privacy and Installation options
on first use of Windows Media Player, which could enable some communication with
the vendor.
This check verifies that Windows Media DRM will be prevented from accessing the
Internet.
In Kerberos, there are 2 types of tickets: Ticket Granting Tickets (TGTs) and Service
Tickets. Kerberos tickets have a limited lifetime so the time an attacker has to
implement an attack is limited. This policy controls how long TGTs can be renewed.
With Kerberos, the user's initial authentication to the domain controller results in a
TGT which is then used to request Service Tickets to resources. Upon startup, each
computer gets a TGT before requesting a service ticket to the domain controller and
any other computers it needs to access. For services that startup under a specified
user account, users must always get a TGT first, then get Service Tickets to all
computers and services accessed.

program is blocked from receiving an inbound connection on a private network must
be enabled to alert the user of potential issues.
The server message block (SMB) protocol provides the basis for many network
operations. Digitally signed SMB packets aid in preventing man-in-the-middle
attacks. If this policy is enabled, the SMB client will only communicate with an SMB
server that performs SMB packet signing.
operations. If this policy is enabled, the SMB client will request packet signing when
communicating with an SMB server that is enabled or required to perform SMB
packet signing.
Unattended systems are susceptible to unauthorized use and must be locked.

Configuring a system to lock when a smart card is removed will ensure the system is
inaccessible when unattended.
The default Windows configuration caches the last logon credentials for users who
log on interactively to a system. This feature is provided for system availability
reasons, such as the user's machine being disconnected from the network or domain
controllers being unavailable. Even though the credential cache is well protected,
storing encrypted copies of users' passwords on workstations does not always have
the same physical protection required for domain controllers. If a workstation is
attacked, an unauthorized individual may isolate the password to a domain user
account using a password-cracking program and gain access to the domain.
Creating strong passwords that can be remembered by users requires some thought.
By giving the user advance warning, the user has time to construct a sufficiently
strong password. This setting configures the system to display a warning to users
telling them how many days are left before their password expires.
Failure to display the logon banner prior to a logon attempt will negate legal
proceedings resulting from unauthorized access to system resources.
Failure to display the logon banner prior to a logon attempt will negate legal
proceedings resulting from unauthorized access to system resources.
on the system. The higher this value is, the less effective the account lockout feature
will be in protecting the local system. The number of bad logon attempts should be
reasonably small to minimize the possibility of a successful password attack, while
allowing for honest errors made during a normal user logon.
Unattended systems are susceptible to unauthorized use and should be locked when
unattended. The screen saver should be set at a maximum of 15 minutes and be
password protected. This protects critical and sensitive data from exposure to
unauthorized personnel with physical access to the computer.
Remote access to the Plug and Play interface could potentially allow connections by
unauthorized devices. This setting configures remote access to the Plug and Play
interface and must be disabled.
Uncontrolled system updates can introduce issues to a system. Obtaining update
components from an outside source may also potentially provide sensitive
information outside of the enterprise. Optional component installation or repair
must be obtained from an internal source.
Windows Connect Now provides wizards for tasks such as "Set up a wireless router or
access point" and must not be available to users. Functions such as these may allow
unauthorized connections to a system and the potential for sensitive information to
be compromised.
Windows Connect Now allows the discovery and configuration of devices over
wireless. Wireless devices must be managed. If a rogue device is connected to a
system, there is potential for sensitive information to be compromised.
IP stateless autoconfiguration could configure routes that circumvent preferred

routes if not limited.
provide visibility.
This setting will prevent Windows from searching Windows Update for point and
print drivers. Only the local driver store and server driver cache will be searched.

enabled and properly configured. This setting enables the firewall when connected
to the domain.
enabled and properly configured. Outbound connections are allowed in the domain,
unless a rule explicitly blocks the connection. This allows normal outbound
communication, which could be restricted as necessary with additional rules.

enabled and properly configured. Unsolicited inbound connections may be malicious
attempts to gain access to a system. Unsolicited inbound connections for which
there is no rule allowing the connection will be blocked in the domain.
This setting prevents responsiveness events from being aggregated and sent to
Microsoft.
PKU2U is a peer-to-peer authentication protocol. This setting prevents online

identities from authenticating to domain-joined systems. Authentication will be
centrally managed with Windows user accounts.
This setting prevents the MSDT from communicating with and sending collected data
to Microsoft, the default support provider.
This setting prevents users from searching troubleshooting content on Microsoft
servers. Only local content will be available.
Configuring RPC to restrict unauthenticated RPC clients from connecting to the RPC
server will prevent anonymous connections.
Audit directory service access records events related to users accessing an Active
Directory object.
Configuring RPC to require authentication to the RPC Endpoint Mapper will force
clients to provide authentication before RPC communication is established.
When directory service data files, especially for directories used for identification,
authentication, or authorization, reside on the same logical partition as user-owned
files, the directory service data may be more vulnerable to unauthorized access or
other availability compromises. Directory service and user-owned data files sharing a
partition may be configured with less restrictive permissions in order to allow access
to the user data.
The directory service may be vulnerable to a denial of service attack when user-
owned files on a common partition are expanded to an extent preventing the
directory service from acquiring more space for directory or audit data.
This setting determines the period of time (in days) during which a user's TGT may be
renewed. This security configuration limits the amount of time an attacker has to
crack the TGT and gain access.
Audit directory service changes records events related to changes made to objects in
Active Directory Domain Services.
Logon records user logons. If this is an interactive logon, it is recorded on the local
system. If it is to a network share, it is recorded on the system accessed.
Logoff records user logoffs. If this is an interactive logoff, it is recorded on the local
Logon records user logons. If this is an interactive logon, it is recorded on the local
NTLM sessions that are allowed to fall back to Null (unauthenticated) sessions may
gain unauthorized access.
When a directory service using multi-master replication (such as AD) executes on

computers that do not have synchronized time, directory data may be corrupted or
updated invalidly.
The lack of synchronized time could lead to audit log data that is misleading,
inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a
source of forensic evidence in an incident investigation.
In AD, the lack of synchronized time could prevent clients from logging on or
accessing server resources as a result of Kerberos requirements related to time
variance.
Windows includes two network-sharing security models - Classic and Guest only.
With the Classic model, local accounts must be password protected; otherwise,
anyone can use guest user accounts to access shared system resources.
Services using Local System that use Negotiate when reverting to NTLM
authentication may gain unauthorized access if allowed to authenticate anonymously
vs. using the computer identity.
Limiting logon hours can help protect data by only allowing access during specified
times. This setting controls whether or not users are forced to log off when their
allowed logon hours expire. If logon hours are set for users, this must be enforced.
The Kerberos v5 authentication protocol is the default for authentication of users

who are logging on to domain accounts. NTLM, which is less secure, is retained in
later Windows versions for compatibility with clients and servers that are running
earlier versions of Windows or applications that still use it. It is also used to
authenticate logons to stand-alone computers that are running later versions.
Certain encryption types are no longer considered secure. This setting configures a
minimum encryption type for Kerberos, preventing the use of the DES encryption
suites.
The LAN Manager hash uses a weak encryption algorithm and there are several tools
available that use this hash to retrieve account passwords. This setting controls
whether or not a LAN Manager hash of the password is stored in the SAM the next
time the password is changed.
This setting controls the signing requirements for LDAP clients. This setting must be
set to Negotiate signing or Require signing, depending on the environment and type
of LDAP server in use.
Microsoft has implemented a variety of security support providers for use with RPC
sessions. All of the options must be enabled to ensure the maximum security level.
Standard user accounts must not be granted elevated privileges. Enabling Windows
Installer to elevate privileges when installing applications can allow malicious persons
and applications to gain full control of a system.
Users must be aware of attempted program installations. This setting ensures users
are notified if a web-based program attempts to install software.
This setting prevents additional data requests in response to Error Reporting.
Installation options for applications are typically controlled by administrators. This
setting prevents users from changing installation options that may bypass security
features.
occurred, as well as detect attacks. This setting ensures that Error Reporting events
will be logged in the system event log.
The "Replace a process level token" user right allows one process or service to start
another process or service with a different security access token. A user with this
right could use this to impersonate another account.
Uncontrolled installation of applications can introduce various issues, including

system instability, and provide access to sensitive information. Installation of
applications must be controlled by the enterprise. Turning off access to the Windows
Store will limit access to publicly available applications.
This setting disables Microsoft Active Protection Service membership and reporting.
Accounts with the "Modify firmware environment values" user right can change
hardware configuration environment variables. This could result in hardware failures
or a DoS.
Accounts with the "Perform volume maintenance tasks" user right can manage
volume and disk configurations. They could potentially delete volumes, resulting in
data loss or a DoS.
Accounts with the "Profile single process" user right can monitor nonsystem
processes performance. An attacker could potentially use this to identify processes
to attack.
Accounts with the "Profile system performance" user right can monitor system
processes performance. An attacker could potentially use this to identify processes
to attack.
The "Log on as a batch job" user right allows accounts to log on using the task
scheduler service, which must be restricted.
Accounts with the "Manage auditing and security log" user right can manage the
security log and change auditing configurations. This could be used to clear evidence
of tampering.
Notifying a user whether cached credentials were used may make them aware of
connection issues.
The "Deny access to this computer from the network" user right defines the accounts
that are prevented from logging on from the network.

enabled and properly configured. Outbound connections are allowed on a private
network, unless a rule explicitly blocks the connection. This allows normal outbound
This setting will prevent Windows from retrieving device metadata from the Internet.
This setting will prevent Windows from sending an error report to Microsoft when a
device driver requests additional software during installation.
This setting prevents an error report from being sent when a generic device driver is
installed.
A system restore point allows a rollback if an issue is encountered when a new

device driver is installed.
This setting prevents users from being prompted to search Windows Update for
device drivers.
Compromised boot drivers can introduce malware prior to some protection

mechanisms that load after initialization. The Early Launch Antimalware driver can
limit allowed drivers based on classifications determined by the malware protection
application. At a minimum, drivers determined to be bad must not be allowed.
This setting will prevent the system from searching Windows Update for device
drivers.

components from an outside source may also potentially provide sensitive
information outside of the enterprise. Device driver updates must be obtained from
an internal source.
Enabling this setting and then selecting the "Process even if the Group Policy objects
have not changed" option ensures that the policies will be reprocessed even if none
have been changed. This way, any unauthorized changes are forced to match the
domain-based group policy settings again.
If this setting is enabled, then Group Policy settings are not refreshed while a user is
currently logged on. This could lead to instances when a user does not have the
latest changes to a policy applied and is therefore operating in an insecure context.
Uncontrolled system updates can introduce issues to a system. This setting will
prevent users from applying vendor-signed updates (though they may be from a
trusted source).
The "Load and unload device drivers" user right allows device drivers to dynamically
be loaded on a system by a user. This could potentially be used to install malicious
code by an attacker.
Accounts with the "Modify an object label" user right can change the integrity label
of an object. This could potentially be used to execute code at a higher privilege.
Some features may send system information to the vendor. Turning off this capability
will prevent potentially sensitive information from being sent outside the enterprise.
Data Execution Prevention (DEP) provides additional protection by performing

checks on memory to help prevent malicious code from running. This setting will
prevent Data Execution Prevention from being turned off for File Explorer.
Changing the system's file and directory permissions allows the possibility of
unauthorized and anonymous modification to the operating system and installed
applications.
The default permissions are adequate when the Security Option "Network access: Let
everyone permissions apply to anonymous users" is set to "Disabled" (V-3377).
applications.
The ability to set access permissions and auditing is critical to maintaining the
security and proper access controls of a system. To support this, volumes must be
formatted using the NTFS file system.
Virus scan programs are a primary line of defense against the introduction of viruses
and malicious code that can destroy data and even render a computer inoperable.
Utilizing a virus scan program provides the ability to detect malicious code before
extensive damage occurs.
Virus scan programs are a primary line of defense against the introduction of viruses
and malicious code that can destroy data and even render a computer inoperable.
Utilizing the virus scan program provides the ability to detect malicious code before
extensive damage occurs. Updated virus scan data files help protect a system, as
new malware is identified by the software vendors on a regular basis.
naming context of the AD database for which auditing is essential. This includes
Group Policy objects. Because changes to these objects can significantly impact
Systems at unsupported service packs or releases will not receive security updates
for new vulnerabilities, which leaves them subject to exploitation. Systems must be
maintained at a service pack level supported by the vendor with new security
updates.
applications.
Password complexity software (e.g., Password Policy Enforcer) enforces a minimum

mix of character types and potentially other options to create strong passwords.
Passwords must contain a case-sensitive character mix with at least one of each of
the following: uppercase letters, lowercase letters, numbers, and special characters.
Sites are responsible for installing password complexity software that complies with
current DoD requirements.
Credential validation records events related to validation tests on credentials for a

user account logon.
Credential validation records events related to validation tests on credentials for a

user account logon.
Domain controller must have a server certificate to establish authenticity as part of
PKI authentications in the domain.
compromise of the database objects could lead to a compromise of all systems
relying on the directory service.
For Active Directory (AD), the Group Policy objects require special attention. In a
distributed administration model (i.e., help desk), Group Policy objects are more
likely to have access permissions changed from the secure defaults. If inappropriate
access permissions are defined for Group Policy Objects, this could allow an intruder
to change the security policy applied to all domain client computers (workstations
and servers).
The shell protocol will limit the set of folders applications can open when run in
protected mode. Restricting files an application can open to a limited set of folders
increases the security of Windows.
Legacy plug-in applications may continue to function when a File Explorer session has
become corrupt. Disabling this feature will prevent this.
Saving passwords in the Remote Desktop Client could allow an unauthorized user to
establish a remote desktop session to another system. The system must be
configured to prevent users from saving passwords in the Remote Desktop Client.
The location service on systems may allow sensitive data to be used by applications
on the system. This should be turned off unless explicitly allowed for approved
systems/applications.
This setting controls the ability of users to supply passwords automatically as part of
their remote desktop connection. Disabling this setting would allow anyone to use
the stored credentials in a connection item to connect to the terminal server.
Preventing users from sharing the local drives on their client computers to Remote
Session Hosts that they access helps reduce possible exposure of sensitive data.
Allowing ICMP redirect of routes can lead to traffic not being routed properly. When
disabled, this forces ICMP to be routed via shortest path first.
Configuring the system to disable IP source routing protects against spoofing.
Accounts with the "Add workstations to domain" right may add computers to a
domain. This could result in unapproved or incorrectly configured systems being
added to a domain.
If a service principle name (SPN) is provided by the client, it is validated against the
server's list of SPNs. Implementation may disrupt file and print sharing capabilities.
Users must not be permitted to remain logged on to the network after they have
exceeded their permitted logon hours. In many cases, this indicates that a user
forgot to log off before leaving for the day. However, it may also indicate that a user
is attempting unauthorized access at a time when the system may be less closely
monitored. Forcibly disconnecting users when logon hours expire protects critical
and sensitive network data from exposure to unauthorized personnel with physical
access to the computer.
Configuring the system to disable IPv6 source routing protects against spoofing.
Allowing a system to automatically log on when the machine is booted could give
access to any unauthorized individual who restarts the computer. Automatic logon
with administrator privileges would give full access to an unauthorized individual.
Open sessions can increase the avenues of attack on a system. This setting is used to
control when a computer disconnects an inactive SMB session. If client activity
resumes, the session is automatically reestablished. This protects critical and
sensitive network data from exposure to unauthorized personnel with physical access
to the computer.
Some non-Microsoft SMB servers only support unencrypted (plain text) password
authentication. Sending plain text passwords across the network, when
authenticating to an SMB server, reduces the overall security of the environment.
Check with the vendor of the SMB server to see if there is a way to support
encrypted password authentication.
attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as
requested by the client.
attacks. If this policy is enabled, the SMB server will only communicate with an SMB
client that performs SMB packet signing.
This setting determines the maximum time difference (in minutes) that Kerberos will
tolerate between the time on a client's clock and the time on a server's clock while
still considering the two clocks synchronous. In order to prevent replay attacks,
Kerberos uses timestamps as part of its protocol definition. For timestamps to work
properly, the clocks of the client and the server need to be in sync as much as
possible.
Improper access permissions for directory data related files could allow unauthorized
users to read, modify, or delete directory data or audit trails.

enabled and properly configured. Logging of successful connections for a private
network connection will be enabled to maintain an audit trail if issues are
discovered.
Accounts with the "Increase scheduling priority" user right can change a scheduling
priority causing performance issues or a DoS.

to a public network.

enabled and properly configured. The firewall log file size for a private connection
will be set to ensure enough capacity is allocated for audit data.
enabled and properly configured. Logging of dropped packets for a private network

messages for a private connection will be blocked. This helps minimize the risk of an
attacker using broadcast or multicast traffic to deliver malicious payloads.

private connection will be defined to ensure the logs are maintained.
Allowing biometrics may bypass required authentication methods. Biometrics may

only be used as an additional authentication factor where an enhanced strength of
identity credential is necessary or desirable. Additional factors must be met per DoD
policy.
Allowing autoplay to execute may introduce malicious code to a system. Autoplay

begins reading from a drive as soon media is inserted into the drive. As a result, the
setup file of programs or music on audio media may start. By default, autoplay is
disabled on removable drives, such as the floppy disk drive (but not the CD-ROM
drive) and on network drives. Enabling this policy disables autoplay on all drives.
Enumeration of administrator accounts when elevating can provide part of the logon
information to an unauthorized user. This setting configures the system to always
require users to type in a username and password to elevate a running application.
Visible passwords may be seen by nearby persons, compromising them. The

password reveal button can be used to display an entered password and must not be
allowed.
This setting will prevent the Program Inventory from collecting data about a system
and sending the information to Microsoft.
Enabling trusted app installation allows for enterprise line of business Windows 8
type apps. A trusted app package is one that is signed with a certificate chain that
can be successfully validated in the enterprise. Configuring this ensures enterprise
line of business apps are accessible.
Allowing autorun commands to execute may introduce malicious code to a system.

Configuring this setting prevents autorun commands from executing.
Allowing autoplay to execute may introduce malicious code to a system. Autoplay

begins reading from a drive as soon as media is inserted into the drive. As a result,
the setup file of programs or music on audio media may start. This setting will
disable autoplay for non-volume devices (such as Media Transfer Protocol (MTP)
devices).

enabled and properly configured. The firewall log file size for a public network
connection will be set to ensure enough capacity is allocated for audit data.

public network connection will be defined to ensure the logs are maintained.

enabled and properly configured. Local firewall rules will not be merged with Group
Policy settings on a public network to prevent Group Policy settings from being
changed.
enabled and properly configured. Local connection rules will not be merged with
Group Policy settings on a public network to prevent Group Policy settings from being
changed.

messages for a public network will be blocked. This helps minimize the risk of an
attacker using broadcast or multicast traffic to deliver malicious payloads.

program is blocked from receiving an inbound connection on a public network must
be enabled to alert the user of potential issues.

enabled and properly configured. Outbound connections are allowed on a public
network, unless a rule explicitly blocks the connection. This allows normal outbound

there is no rule allowing the connection will be blocked on a public network.

there is no rule allowing the connection will be blocked on a private network.
enabled and properly configured. Logging of successful connections for a public
network connection will be enabled to maintain an audit trail if issues are discovered.

enabled and properly configured. Logging of dropped packets for a public network
RID Manager$ object. Because changes to these objects can significantly impact
User Account Management records events such as creating, changing, deleting,

renaming, disabling, or enabling user accounts.
Domain object. Because changes to these objects can significantly impact access
controls or the availability of systems, the absence of auditing data makes it
Computer Account Management records events such as creating, changing, deleting,

renaming, disabling, or enabling computer accounts.
Security Group Management records events such as creating, deleting, or changing

security groups, including changes in group members.
Other Account Management Events records events such as the access of a password
hash or the Password Policy Checking API being called.
Special Logon records special logons which have administrative privileges and can be
used to elevate processes.
Administrative accounts may perform any action on a system. Users with

administrative accounts must be documented to ensure those with this level of
access are clearly identified.
Central Access Policy Staging auditing under Object Access is used to enable the
recording of events related to differences in permissions between central access
policies and proposed policies.
The "Enable computer and user accounts to be trusted for delegation" user right
allows the "Trusted for Delegation" setting to be changed. This could potentially
allow unauthorized users to impersonate other users.
If this option is enabled, the Recovery Console does not require a password and
automatically logs on to the system. This could allow unauthorized administrative
access to the system.
Microsoft has implemented a variety of security support providers for use with RPC
sessions. All of the options must be enabled to ensure the maximum security level.
Displaying the shutdown button may allow individuals to shut down a system
anonymously. Only authenticated users should be allowed to shut down the system.
Preventing display of this button in the logon dialog box ensures that individuals who
shut down the system are authorized and tracked in the system's Security event log.
The Recovery Console SET command allows environment variables to be set in the
Recovery Console. This permits access to all drives and folders and the copying of
files to removable media, which could expose sensitive information.
This setting controls the behavior of non-Windows subsystems when dealing with the
case of arguments or commands. Case sensitivity could lead to the access of files or
commands that must be restricted. To prevent this from happening, case
insensitivity restrictions must be required.
This setting ensures that the system uses algorithms that are FIPS-compliant for
encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards
established by the U.S. Government and must be the algorithms used for all OS
encryption functions.
This policy setting determines whether the Kerberos Key Distribution Center (KDC)
validates every request for a session ticket against the user rights policy of the target
computer. The policy is enabled by default which is the most secure setting for
validating access to target resources is not circumvented.
Windows systems maintain a global list of shared system resources such as DOS
device names, mutexes, and semaphores. Each type of object is created with a
default DACL that specifies who can access the objects with what permissions. If this
policy is enabled, the default DACL is stronger, allowing nonadministrative users to
read shared objects, but not modify shared objects that they did not create.
privileges, including administrative accounts, unless authorized. This setting controls
the behavior of elevation when requested by a standard user account.
configures the elevation requirements for logged on administrators to complete a
task that requires raised privileges.
Enabling this setting on all domain controllers in a domain prevents domain members
from changing their computer account passwords. If these passwords are weak or
compromised, the inability to change them may leave these computers vulnerable.
Attachments from RSS feeds may not be secure. This setting will prevent
attachments from being downloaded from RSS feeds.
If a communal temporary folder is used for remote desktop sessions, it might be
possible for users to access other users' temporary folders. If this setting is enabled,
only one temporary folder is used for all remote desktop sessions. Per session
temporary folders must be established.
The "Lock pages in memory" user right allows physical memory to be assigned to
processes, which could cause performance issues or a DoS.
system.
This setting controls how long a session may be idle before it is automatically
disconnected from the server. Users must disconnect if they plan on being away
from their terminals for extended periods of time. Idle sessions must be
disconnected after 15 minutes.
Remote connections must be encrypted to prevent interception of data or sensitive

information. Selecting "High Level" will ensure encryption of Remote Desktop
Services sessions in both directions.
Remote desktop session temporary folders must always be deleted after a session is
over to prevent hard disk clutter and potential leakage of information. This setting
controls the deletion of the temporary folders when the session is terminated.
This setting controls how long a session will remain open if it is unexpectedly
terminated. Such sessions use system resources and must be terminated as soon as
possible.
Accounts with the "Force shutdown from a remote system" user right can remotely
shut down a system, which could result in a DoS.

components from an outside source may also potentially allow sensitive information
outside of the enterprise. Application updates must be obtained from an internal
source.
Accounts with the "Increase a process working set" user right can change the size of
a process's working set, potentially causing performance issues or a DoS.
The "Impersonate a client after authentication" user right allows a program to

impersonate another user or account to run on their behalf. An attacker could
potentially use this to elevate privileges.
The "Generate security audits" user right specifies users and processes that can
generate Security Log audit records, which must only be the system service accounts
defined.
A PKI implementation depends on the practices established by the Certificate

Authority (CA) to ensure the implementation is secure. Without proper practices,
the certificates issued by a CA have limited value in authentication functions.
Domain Controller OU object. Because changes to these objects can significantly
impact access controls or the availability of systems, the absence of auditing data
makes it impossible to identify the source of changes that impact the confidentiality,
integrity, and availability of data and systems throughout an AD domain. The lack of
proper auditing can result in insufficient forensic evidence needed to investigate an
incident and prosecute the intruder.
Accounts with the "Access this computer from the network" right may access
resources on the system and should be limited to those requiring it.
Permissions on the Winlogon registry key must only allow privileged accounts to
change registry values. If standard users have this capability, there is a potential for
programs to run with elevated privileges when a privileged user logs on to the
system.
A compromised local administrator account can provide means for an attacker to
move laterally between domain systems.
With User Account Control enabled, filtering the privileged token for local
administrator accounts will prevent the elevated privileges of these accounts from
being used over the network.
Permissions on the Active Setup\Installed Components registry key must only allow
privileged accounts to add or change registry values. If standard user accounts have
this capability, there is a potential for programs to run with elevated privileges when
a privileged user logs on to the system.
Some processes may require anonymous access to the registry. This must be limited
to properly protect the system.
This setting determines the maximum amount of time (in minutes) that a granted
session ticket can be used to access a particular service. Session tickets are used only
to authenticate new connections with servers. Ongoing operations are not
interrupted if the session ticket used to authenticate the connection expires during
the connection.
Root Certificate updates must be controlled in the enterprise to ensure a proper

validation chain is maintained. This setting prevents root certificates from being
updated automatically from the Microsoft site.
Uncontrolled installation of applications can introduce various issues, including

system instability, and allow access to sensitive information. Installation of
applications must be controlled by the enterprise. Turning off access to the Windows
Store will limit access to publicly available applications.
Viewing events is a function of administrators, who must not access the Internet with
privileged accounts. This setting will disable Events.asp hyperlinks in Event Viewer to
prevent links to the Internet from within events.
This setting prevents the computer from downloading print driver packages over
HTTP.
This setting prevents errors in handwriting recognition on tablet PCs from being
reported to Microsoft.
This setting prevents Windows from downloading a list of providers for the Web
publishing and online ordering wizards.
This setting prevents the Internet Connection Wizard from downloading a list of
Internet Service Providers (ISPs) from Microsoft.
This setting prevents the client computer from printing over HTTP, which allows the
computer to print to printers on the intranet as well as the Internet.
This setting prevents unhandled file associations from using the Microsoft Web
service to find an application.
Executing application servers on the same host machine with a directory server may
substantially weaken the security of the directory server. Web or database server
applications usually require the addition of many programs and accounts increasing
the attack surface of the computer.
Some applications require the addition of privileged accounts providing potential

sources of compromise. Some applications (such as MS Exchange) may require the
use of network ports or services conflicting with the directory server. In this case,
non-standard ports might be selected and this could interfere with intrusion
detection or prevention services.
The "Deny log on as a batch job" user right defines accounts that are prevented from
logging on to the system as a batch job, such as Task Scheduler.
The Guests group must be assigned to prevent unauthenticated access.
The lack of password protection enables anyone to gain access to the information
system, which opens a backdoor opportunity for intruders to compromise the system
as well as other resources. Accounts on a system must require passwords.
Outdated or unused accounts provide penetration points that may go undetected.

Inactive accounts must be deleted if no longer necessary or, if still required, disabled
until needed.
Monitoring system files for changes against a baseline on a regular basis may help
detect the possible introduction of malicious code on a system.
Passwords that do not expire or are reused increase the exposure of a password with
greater probability of being discovered or cracked.
Virtual guest operating systems share the same vulnerabilities as operating systems
running on dedicated hardware and must be individually assessed for security
guidance compliance. The VMS used may be DISA VMS or a similar vulnerability and
asset management system.
Allowing a system to boot into multiple operating systems (dual-booting) may allow
security to be circumvented on a secure system.
To minimize potential points of attack, local users, other than built-in accounts such
as Administrator and Guest accounts, must not exist on a workstation in a domain.
Users must log onto workstations in a domain with their domain accounts.
Windows shares are a means by which files, folders, printers, and other resources
can be published for network users to access. Improper configuration can permit
access to devices and data beyond a user's need.
Shares on a system provide network access. To prevent exposing sensitive

information, where shares are necessary, permissions must be reconfigured to give
the minimum access to those accounts that require it.
This setting ensures users cannot provide ratings feedback to Microsoft for Help
content.
Preserving zone of origin (Internet, intranet, local, restricted) information on file

attachments allows Windows to determine risk.
Toast notifications that are displayed on the lock screen could display sensitive
information to unauthorized personnel. Turning off this feature will limit access to
the information to a logged on user.
This setting ensures the Windows Help Experience Improvement Program is disabled
to prevent information from being passed to the vendor.

Preventing users from changing the screen saver ensures an approved screen saver is
used. This protects critical and sensitive data from exposure to unauthorized
personnel with physical access to the computer.
The Windows Push Notification Service (WNS) allows third-party vendors to send
updates for toasts, tiles, and badges.

Specifying a screen saver ensures the screen saver timeout lock is initiated properly.
This protects critical and sensitive data from exposure to unauthorized personnel
with physical access to the computer.
Unattended systems are susceptible to unauthorized use and must be locked when
unattended. Enabling a password-protected screen saver to engage after a specified
period of time helps protects critical and sensitive data from exposure to

to a private network.
Unattended systems are susceptible to unauthorized use and must be locked when
unattended. Enabling a password-protected screen saver to engage after a specified
period of time helps protects critical and sensitive data from exposure to
Using applications that access the Internet or have potential Internet sources using
administrative privileges exposes a system to compromise. If a flaw in an application
is exploited while running as a privileged user, the entire system could be
compromised. Web browsers and email are common attack vectors for introducing
malicious code and must not be run with an administrative user account.
Since administrative user accounts may generally change or work around technical
restrictions for running a web browser or other applications, it is essential that policy
requires administrative users to not access the Internet or use applications, such as
email.
The policy should define specific exceptions for local service administration. These
exceptions may include HTTP(S)-based tools that are used for the administration of
the local system, services, or attached devices.
Backup Operators are able to read and write to any file in the system, regardless of
the rights assigned to it. Backup and restore rights permit users to circumvent the
file access restrictions present on NTFS disk drives for backup and restore purposes.
Members of the Backup Operators group must have separate logon accounts for
performing backup duties.
A system's BIOS or system controller handles the initial startup of a system, and its
configuration must be protected from unauthorized modification. When the BIOS or
system controller supports the creation of user accounts or passwords, such
protections must be used and accounts/passwords only assigned to system
administrators. Failure to protect BIOS or system controller settings could result in
Denial of Service or compromise of the system resulting from unauthorized
configuration changes.
Malicious users with removable boot media can gain access to a system configured to
use removable media as the boot loader.
Computer Account Management records events such as creating, changing, deleting,
renaming, disabling, or enabling computer accounts.
Inadequate physical protection can undermine all other security precautions utilized
to protect the system. This can jeopardize the confidentiality, availability, and
integrity of the system. Physical security is the first line of protection of any system.
If SAs are assigned to systems running operating systems for which they have no
training, these systems are at additional risk of unintentional misconfiguration that
may result in vulnerabilities or decreased availability of the system.
The longer a password is in use, the greater the opportunity for someone to gain
unauthorized knowledge of the password. Passwords for the built-in Administrator
account must be changed at least annually or when any member of the
administrative team leaves the organization.
Other Account Management Events records events such as the access of a password
hash or the Password Policy Checking API being called.
Using a privileged account to perform routine functions makes the computer

vulnerable to malicious software inadvertently introduced during a session that has
been granted full privileges.
The "Deny log on as a service" user right defines accounts that are denied log on as a
service.
Incorrect configurations could prevent services from starting and result in a DoS.
Audit Policy Change records events related to changes in audit policy.
Audit Policy Change records events related to changes in audit policy.
Authentication Policy Change records events related to changes in authentication

policy, including Kerberos policy and Trust changes.
Registry auditing under Object Access is used to enable the recording of events
related to the access and changing of the registry. Auditing must also be enabled on
the specific registry objects to be audited.
Removable Storage auditing under Object Access records events related to access
attempts on file system objects on removable storage devices.
Removable Storage auditing under Object Access records events related to access
attempts on file system objects on removable storage devices.
Recommendation
Ensure the following services that are critical for directory server
operation are configured for automatic startup.
- Active Directory Domain Services

- DFS Replication
- DNS Client
- DNS server
- Group Policy Client
- Intersite Messaging
- Kerberos Key Distribution Center
- NetLogon
- Windows Time (not required if another time synchronization tool is
implemented to start automatically)
Configure the policy value for Computer Configuration -> Windows

Settings -> Security Settings -> Advanced Audit Policy Configuration ->
System Audit Policies -> Object Access -> "Audit File System" with "Failure"
selected.

System Audit Policies -> Object Access -> "Audit Central Access Policy
Staging" with "Failure" selected.
Configure the directory service to terminate LDAP-based network

connections to the directory server after five (5) minutes of inactivity.
Open an elevated command prompt.

Enter "ntdsutil".
At the "ntdsutil:" prompt, enter "LDAP policies".
At the "ldap policy:" prompt, enter "connections".
At the "server connections:" prompt, enter "connect to server [host-
name]".
(Where [host-name] is the computer name of the domain controller.)
At the "server connections:" prompt, enter "q".
At the "ldap policy:" prompt, enter "Set MaxConnIdleTime to 300".
Enter "Commit Changes" to save.
Enter "Show values" to verify changes.
Enter "q" at the "ldap policy:" and "ntdsutil:" prompts to exit.
Configure the system to include only administrator groups or accounts
that are responsible for the system in the Administrators group.
Remove any standard user accounts.
Detailed auditing subcategories are configured in Security Settings ->

Advanced Audit Policy Configuration. The summary level settings under
Security Settings -> Local Policies -> Audit Policy will not be enforced (see
V-14230).

System Audit Policies -> DS Access -> "Directory Service Changes" with
"Failure" selected.

Settings -> Security Settings -> Local Policies -> Security Options -> "Audit:
Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings" to "Enabled".

Settings -> Security Settings -> Local Policies -> User Rights Assignment ->
"Deny log on through Remote Desktop Services" to include the following:
Guests Group

Settings -> Security Settings -> Local Policies -> Security Options ->
"Accounts: Guest account status" to "Disabled".

"Accounts: Limit local account use of blank passwords to console logon
only" to "Enabled".

"Accounts: Rename administrator account" to a name other than
"Administrator".

"Accounts: Rename guest account" to a name other than "Guest".
Audit the access of global system objects" to "Disabled".

"Deny log on locally" to include the following:
Guests Group

"Create a token object" to be defined but containing no entries (blank).

"Create global objects" to only include the following accounts or groups:
Administrators
Service
Local Service
Network Service

"Change the time zone" to only include the following accounts or groups:
Administrators
Local Service

"Create a pagefile" to only include the following accounts or groups:
Administrators
"Debug programs" to only include the following accounts or groups:
Administrators

"Create permanent shared objects" to be defined but containing no
entries (blank).

"Create symbolic links" to only include the following accounts or groups:
Administrators

V-14230).
System Audit Policies -> DS Access -> "Directory Service Access" with
"Success" selected.

"Network access: Named pipes that can be accessed anonymously" to
only include "netlogon, samr, lsarpc".
Configure the policy value for Computer Configuration -> Administrative

Templates -> System -> Locale Services -> "Disallow copying of user input
methods to the system account for sign-in" to "Enabled".

Templates -> System -> Logon -> "Always use classic logon" to "Enabled".

Templates -> System -> Internet Communication Management -> Internet
Communication settings -> "Turn off Registration if URL connection is
referring to Microsoft.com" to "Enabled".
Communication settings -> "Turn off Search Companion content file
updates" to "Enabled".

Communication settings -> "Turn off the "Order Prints" picture task" to
"Enabled".

Communication settings -> "Turn off the "Publish to Web" task for files and
folders" to "Enabled".

Communication settings -> "Turn off the Windows Messenger Customer
Experience Improvement Program" to "Enabled".

Communication Settings -> "Turn off Windows Customer Experience
Improvement Program" to "Enabled".

Communication settings -> "Turn off Windows Error Reporting" to
"Enabled".

Communication settings -> "Turn off Windows Update device driver
searching" to "Enabled".
Install the DoD Interoperability Root CA to DoD Root CA 2 cross-certificate.

Administrators should run the Federal Bridge Certification Authority
(FBCA) Cross-Certificate Removal Tool once as an administrator and once
as the current user. The FBCA Cross-Certificate Remover tool and user
guide is available on IASE at http://iase.disa.mil/pki-
pke/function_pages/tools.html.
Install the ECA Root CA 2 certificate. The InstallRoot tool is available on

IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html.
Install the DoD Root CA 2 certificate. The InstallRoot tool is available on
IASE at http://iase.disa.mil/pki-pke/function_pages/tools.html.

Templates -> Windows Components -> Windows Remote Management
(WinRM) -> WinRM Service -> "Disallow WinRM from storing RunAs
credentials" to "Enabled".

System Audit Policies -> Global Object Access Auditing -> "Registry" with
the following:
Principal: Everyone
Type: Fail
Permissions: all categories selected

System Audit Policies -> Global Object Access Auditing -> "File system"
with the following:
Principal: Everyone
Type: Fail
Permissions: all categories selected
If this is configured on a domain controller, in local or group policy, do not

set any conditions limiting the scope.

System Audit Policies -> System -> "Audit System Integrity" with "Failure"
selected.

System Audit Policies -> System -> "Audit Security System Extension" with
"Failure" selected.
System Audit Policies -> System -> "Audit System Integrity" with "Success"
selected.
If the system needs to be configured to an NTP server, configure the

system to point to an authorized time server by setting the policy value for
Computer Configuration -> Administrative Templates -> System ->
Windows Time Service -> Time Providers -> "Configure Windows NTP
Client" to "Enabled", and configure the "NtpServer" field to point to an
authorized time server.

"Domain controller: LDAP server signing requirements" to "Require
signing".

Templates -> System -> Remote Assistance -> "Turn on session logging" to
"Enabled".

System Audit Policies -> Detailed Tracking -> "Audit Process Creation" with
"Success" selected.

System Audit Policies -> Account Management -> "Audit User Account
Management" with "Failure" selected.
Audit the use of Backup and Restore privilege" to "Disabled".

Settings -> Security Settings -> Local Policies -> Security Options -> "MSS:
(TcpMaxDataRetransmissions) How many times unacknowledged data is
retransmitted (3 recommended, 5 is the default)" to "3" or less.
(See "Updating the Windows Security Options File" in the STIG Overview
document if MSS settings are not visible in the system's policy tools.)

(WarningLevel) Percentage threshold for the security event log at which
the system will generate a warning" to "90" or less.
Configure NSA-approved (Type 1) cryptography to protect the directory

data in transit for directory service implementations at a classified
confidentiality level that transfers replication data through a network
cleared to a lower level than the data.

(PerformRouterDiscovery) Allow IRDP to detect and configure Default
Gateway addresses (could lead to DoS)" to "Disabled".

(SafeDllSearchMode) Enable Safe DLL search mode (recommended)" to
"Enabled".
(ScreenSaverGracePeriod) The time in seconds before the screen saver
grace period expires (0 recommended)" to "5" or less.

(TcpMaxDataRetransmissions IPv6) How many times unacknowledged
data is retransmitted (3 recommended, 5 is the default)" to "3" or less.

(KeepAliveTime) How often keep-alive packets are sent in milliseconds" to
"300000 or 5 minutes (recommended)" or less.

(NoDefaultExempt) Configure IPSec exemptions for various types of
network traffic" to "Only ISAKMP is exempt (recommended for Windows
Server 2003)".

(NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name
release requests except from WINS servers" to "Enabled".
Remove or disable the Peer Networking Identity Manager (p2pimsvc)

service.
Remove or disable the Fax (fax) service.
Remove or disable the Microsoft FTP Service (msftpsvc) service.
Configure the Startup Type for the Smart Card Removal Policy service to
"Automatic".
Configure all user accounts, including administrator accounts, in Active
Directory to enable the option "Smart card is required for interactive
logon".
Remove or disable the Simple TCP/IP Services (simptcp) service.
Remove or disable the Telnet (tlntsvr) service.

Templates -> Windows Components -> Remote Desktop Services ->
Remote Desktop Session Host -> Security "Require secure RPC
communication" to "Enabled".

Remote Desktop Session Host -> Connections "Restrict Remote Desktop
Services users to a single Remote Desktop Services Session" to "Enabled".

Remote Desktop Session Host -> Device and Resource Redirection "Do not
allow COM port redirection" to "Enabled".

allow LPT port redirection" to "Enabled".

allow smart card device redirection" to "Disabled".

allow supported Plug and Play device redirection" to "Enabled".

Remote Desktop Session Host -> Printer Redirection "Redirect only the
default client printer" to "Enabled".

Remote Desktop Session Host -> Remote Session Environment "Remove
"Disconnect" option from Shut Down dialog" to "Enabled".
System Audit Policies -> Account Management -> "Audit Security Group
Management" with "Failure" selected.
Ensure the permissions on the Domain Controllers OU are at least as

restrictive as the defaults below.
Document any additional permissions above read with the IAO if an

approved distributed administration model (help desk or other user
support staff) is implemented.
SELF - Special permissions
Authenticated Users - Read, Special permissions

The Special permissions for Authenticated Users are Read types. If
detailed permissions include any Create, Delete, Modify, or Write
Permissions or Properties, this is a finding.
SYSTEM - Full Control
Domain Admins - Read, Write, Create all child objects, Generate resultant
set of policy (logging), Generate resultant set of policy (planning), Special
permissions
Enterprise Admins - Full Control
Administrators - Read, Write, Create all child objects, Generate resultant

permissions
Pre-Windows 2000 Compatible Access - Special permissions

The Special permissions for Pre-Windows 2000 Compatible Access are
Read types. If detailed permissions include any Create, Delete, Modify, or
Write Permissions or Properties, this is a finding.
ENTERPRISE DOMAIN CONTROLLERS - Special permissions

Templates -> Network -> TCPIP Settings -> IPv6 Transition Technologies ->
"Set IP-HTTPS State" to "Enabled: Disabled State".
Note: "IPHTTPS URL:" must be entered in the policy even if set to Disabled
State. Enter "about:blank".

"Set ISATAP State" to "Enabled: Disabled State".
Templates -> Network -> Network Connections -> "Prohibit installation and
configuration of Network Bridge on your DNS domain network" to
"Enabled".

Templates -> Network -> Network Connections -> "Require domain users
to elevate when setting a network's location" to "Enabled".

Templates -> Network -> Network Connections -> "Route all traffic through
the internal network" to "Enabled: Enabled State".

"Set 6to4 State" to "Enabled: Disabled State".

Templates -> Network -> Link-Layer Topology Discovery -> "Turn on
Mapper I/O (LLTDIO) driver" to "Disabled".

Templates -> Network -> Link-Layer Topology Discovery -> "Turn on
Responder (RSPNDR) driver" to "Disabled".
Templates -> Network -> Microsoft Peer-to-Peer Networking Services ->
"Turn off Microsoft Peer-to-Peer Networking Services" to "Enabled".

"Shut down the system" to only include the following accounts or groups:
Administrators

"Restore files and directories" to only include the following accounts or
groups:
Administrators

"Take ownership of files or other objects" to only include the following
accounts or groups:
Administrators
Obtain PKI certificates issued by the DoD PKI or an approved External
Certificate Authority (ECA).

Settings -> Security Settings -> Local Policies -> Security Options -> "User
Account Control: Admin Approval Mode for the Built-in Administrator
account" to "Enabled".
UAC requirements are NA on Server Core installations.
Ensure the permissions on domain defined OUs are at least as restrictive

as the defaults below.
Document any additional permissions above read with the IAO if an

approved distributed administration model (help desk or other user
support staff) is implemented.
Self - Special permissions
Authenticated Users - Read, Special permissions

The Special permissions for Authenticated Users are Read type. If detailed
permissions include any Create, Delete, Modify, or Write Permissions or
Properties, this is a finding.
Domain Admins - Full Control
Enterprise Admins - Full Control
Administrators - Read, Write, Create all child objects, Generate resultant

permissions
Pre-Windows 2000 Compatible Access - Special permissions

The Special permissions for Pre-Windows 2000 Compatible Access are for
Read types. If detailed permissions include any Create, Delete, Modify, or
Write Permissions or Properties, this is a finding.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Remove any certificate installation files (*.p12 and *.pfx) found on a

system.
This does not apply to server-based applications that have a requirement

for .p12 certificate files (e.g., Oracle Wallet Manager).
Document the services required for the system to operate. Remove or

disable any services that are not required.
Install a host-based Intrusion Detection System on each server.
Establish an automated process to scan systems for identified software

flaws and vulnerabilities.
Establish a process to automatically install security-related software

updates.
Install software that provides certificate validation and revocation

checking.
Configure the system to prevent an installed FTP service from allowing

anonymous logons.
Configure the system to prevent an FTP service from allowing access to

the system drive.

Settings -> Security Settings -> Windows Firewall with Advanced Security
-> Windows Firewall with Advanced Security -> Windows Firewall
Properties (this link will be in the right pane) -> Domain Profile Tab ->
Logging (select Customize), "Log successful connections" to "Yes".
Configure a comparable setting if a third-party firewall is used.

Logging (select Customize), "Log dropped packets" to "Yes".

Settings (select Customize) -> Unicast response, "Allow unicast response"
to "No".

Settings (select Customize) -> Firewall settings, "Display a notification" to
"Yes (default)".

Logging (select Customize), "Size limit (KB):" to "16,384" (or greater).

Logging (select Customize), "Name" to "%windir
%\system32\logfiles\firewall\domainfirewall.log".
Configure the policy value for User Configuration -> Administrative

Templates -> Windows Components -> Attachment Manager -> "Notify
antivirus programs when opening attachments" to "Enabled".
Templates -> Windows Components -> Attachment Manager -> "Hide
mechanisms to remove zone information" to "Enabled".
Templates -> Windows Components -> Windows Media Player -> Playback
-> "Prevent Codec Download" to "Enabled".

Templates -> Windows Components -> Network Sharing -> "Prevent users
from sharing files within their profile" to "Enabled".
Establish a site policy to ensure the following are met during remote
access:
Userid and password information is encrypted.
User data coming from or going outside the network firewall is encrypted.
(Encrypting user data within the firewall is also highly recommended).
Administrator data is encrypted.
Establish a site policy that defines the requirements for application/service

account password changes.
Change application/service account passwords that are manually managed

and entered by a system administrator at least annually or whenever an
administrator with knowledge of the password leaves the organization.
Establish a site policy that defines the requirements for application/service

account length. Create application/service account passwords that are at
least 15 characters in length.
Implement a process using security configuration tools or the equivalent
to configure Windows systems to meet security requirements.
Create or update shared account documentation that minimally contains

the name of the shared accounts, the systems on which the accounts
exist, and the individuals who have access to the accounts. Remove any
shared accounts that do not meet the requirements.
Implement user-level information backups to support organizational

recovery time and recovery point objectives.
Implement system-level information backups to support organizational

recovery time and recovery point objectives.
Back up system-related documentation to support organizational recovery

time and recovery point objectives.
Ensure system-level information backups are stored in a secure location
and protected from destruction.

Account Control: Detect application installations and prompt for elevation"
to "Enabled".

Account Control: Only elevate executables that are signed and validated"
to "Disabled".

Account Control: Only elevate UIAccess applications that are installed in
secure locations" to "Enabled".

Account Control: Run all administrators in Admin Approval Mode" to
"Enabled".

Account Control: Switch to the secure desktop when prompting for
elevation" to "Enabled".

Account Control: Virtualize file and registry write failures to per-user
locations" to "Enabled".

Account Control: Allow UIAccess applications to prompt for elevation
without using the secure desktop" to "Disabled".

Settings -> Security Settings -> Local Policies -> Security Options -> "System
settings: Use Certificate Rules on Windows Executables for Software
Restriction Policies" to "Enabled".
settings: Optional subsystems" to "Blank" (Configured with no entries).

"Devices: Prevent users from installing printer drivers" to "Enabled".
Configure the audit settings for AdminSDHolder object to include the
following.
Type - Fail
Principal - Everyone
Access - Full Control
Inherited from - None
Applies to - This object only
The success types listed below are defaults. Where Special is listed in the
summary screens for Access, detailed Permissions are provided for
reference, various Properties selections may also exist by default.
Type - Success
Access - Special
(Access - Special = Write all properties, Modify permissions, Modify
owner)
Two instances with the following summary information will be listed.

Type - Success
Access - (blank)
Inherited from - (CN of domain)
Applies to - Descendant Organizational Unit objects

"Synchronize directory service data" to be defined but containing no
entries (blank).
System Audit Policies -> Object Access -> "Audit Handle Manipulation"
with "Failure" selected.

Settings -> Security Settings -> Account Policies -> Password Policy ->
"Password must meet complexity requirements" to "Enabled".
"Store password using reversible encryption" to "Disabled".
Settings -> Security Settings -> Account Policies -> Account Lockout Policy
-> "Account lockout threshold" to "3" or less invalid logon attempts
(excluding "0" which is unacceptable).

-> "Reset account lockout counter after" to at least "60" minutes.

-> "Account lockout duration" to "0" minutes, "Account is locked out until
administrator unlocks it".

"Minimum Password Age" to at least "1" day.
"Minimum password length" to "14" characters.

"Enforce password history" to "5" passwords remembered.

"Maximum Password Age" to "60" days or less (excluding "0" which is
unacceptable).

"Domain member: Require strong (Windows 2000 or Later) session key" to
"Enabled".
"Domain member: Maximum machine account password age" to "30" or
less (excluding "0" which is unacceptable).

"Domain member: Disable machine account password changes" to
"Disabled".

"Domain member: Digitally sign secure channel data (when possible)" to
"Enabled".

"Domain member: Digitally encrypt secure channel data (when possible)"
to "Enabled".

"Domain member: Digitally encrypt or sign secure channel data (always)"
to "Enabled".

"Devices: Allowed to format and eject removable media" to
"Administrators".

"Interactive Logon: Do not require CTRL+ALT+DEL" to "Disabled".

"Interactive logon: Do not display last user name" to "Enabled".
Configure directory data (outside the root DSE) of a non-public directory

to prevent anonymous access.
For AD, there are multiple configuration items that could enable
anonymous access.
Changing the access permissions on the domain naming context object

(from the secure defaults) could enable anonymous access. If the check
procedures indicate this is the cause, the process that was used to change
the permissions should be reversed. This could have been through the
Windows Support Tools ADSI Edit console (adsiedit.msc).
The dsHeuristics option is used. This is addressed in check V-8555

(DS.0230_AD) in the AD Forest STIG.
Ensure the permissions on the System event log (System.evtx) are
configured to prevent standard user accounts or groups from having
greater than Read access. The default permissions listed below satisfy this
requirement:
Eventlog - Full Control

Administrators - Full Control
The default location is the "%SystemRoot%\SYSTEM32\WINEVT\LOGS"

directory.
If the location of the logs has been changed, when adding Eventlog to the
permissions, it must be entered as "NT Service\Eventlog".
Ensure the permissions on the Application event log (Application.evtx) are

greater than Read access. The default permissions listed below satisfy this
requirement:


directory.
Ensure the permissions on the System event log (System.evtx) are

access. The default permissions listed below satisfy this requirement:

directory.
Establish a policy that will ensure the retention of SAMI audit data for at
least five years. Ensure the audit retention policy is implemented.
Establish and implement a process for backing up log data on an

organization defined frequency to another system or media other than the
system being audited.
Establish a site policy that defines a schedule for the review of audit logs.
Review audit logs as scheduled.
Establish a policy that will ensure the retention of audit data for at least
one year. Ensure the audit retention policy is implemented.

"Access Credential Manager as a trusted caller" to be defined but
containing no entries (blank).

"Act as part of the operating system" to be defined but containing no
entries (blank).

"Allow log on locally" to only include the following accounts or groups:
Administrators

"Adjust memory quotas for a process" to only include the following
accounts or groups:
Administrators
Local Service
Network Service

"Back up files and directories" to only include the following accounts or
groups:
Administrators

"Allow log on through Remote Desktop Services" to only include the
following accounts or groups:
Administrators
"Change the system time" to only include the following accounts or
groups:
Administrators
Local Service

"Bypass traverse checking" to only include the following accounts or
groups:
Administrators
Authenticated Users
Local Service
Network Service
Window Manager\Window Manager Group
Install EMET V4.0 or later on the system. EMET is available for download
from Microsoft.

Templates -> System -> Power Management -> Video and Display Settings
-> "Turn off the display (plugged in)" to "Enabled" with "1200" seconds or
less.

Templates -> System -> Power Management -> Video and Display Settings
-> "Turn off the display (on battery)" to "Enabled" with "1200" seconds or
less.

Templates -> System -> Power Management -> Sleep Settings -> "Require a
password when a computer wakes (plugged in)" to "Enabled".

Templates -> System -> Power Management -> Sleep Settings -> "Require a
password when a computer wakes (on battery)" to "Enabled".

Templates -> System -> Logon -> "Turn off app notifications on the lock
screen" to "Enabled".
Templates -> System -> Logon -> "Enumerate local users on domain-joined
computers" to "Disabled".
Templates -> System -> Remote Assistance -> "Configure Solicited Remote
Assistance" to "Disabled".
Templates -> System -> Remote Assistance -> "Configure Offer Remote
Assistance" to "Disabled".
Configure the audit settings for Infrastructure object to include the

following.
Type - Fail
Type - Success
Access - Special
(Access - Special = Permissions: Write all properties, All extended rights,
Change infrastructure master)

Type - Success
Access - (blank)

System Audit Policies -> System -> "Audit IPSec Driver" with "Failure"
selected.

System Audit Policies -> System -> "Audit Security State Change" with
"Success" selected.
System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use"
with "Success" selected.

System Audit Policies -> System -> "Audit IPSec Driver" with "Success"
selected.

System Audit Policies -> Privilege Use -> "Audit Sensitive Privilege Use"

System Audit Policies -> System -> "Audit Security System Extension" with
"Success" selected.

System Audit Policies -> System -> "Audit Security State Change" with
"Failure" selected.
If the Windows Time Service is used, configured it as follows.
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\W32Time\Config\

Value Name: EventLogFlags
Type: REG_DWORD
Value: 2
If another time synchronization tool used, configure it to log time source

switching.
Ensure the policy value for Computer Configuration -> Windows Settings
-> Security Settings -> Local Policies -> Security Options -> "Network
access: Shares that can be accessed anonymously" contains no entries
(blank).

"Network access: Restrict anonymous access to Named Pipes and Shares"
to "Enabled".

"Network access: Do not allow storage of passwords and credentials for
network authentication" to "Enabled".

"Network access: Do not allow anonymous enumeration of SAM accounts
and shares" to "Enabled".

"Network access: Do not allow anonymous enumeration of SAM accounts"
to "Enabled".

"Network access: Allow anonymous SID/Name translation" to "Disabled".
"Network access: Remotely accessible registry paths and sub-paths" with
the following entries:
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Perflib
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
System\CurrentControlSet\Services\Eventlog
System\CurrentControlSet\Services\Sysmonlog

"Network access: Remotely accessible registry paths" with the following
entries:
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion

"Network access: Let everyone permissions apply to anonymous users" to
"Disabled".
Implement network protections to reduce the risk of anonymous access.
Network hardware ports at the site are subject to 802.1x authentication or

MAC address restrictions.
Premise firewall or host restrictions prevent access to ports 389, 636,

3268, and 3269 from client hosts not explicitly identified by domain (.mil)
or IP address.

Templates -> Windows Components -> Event Log Service -> Application ->
"Specify the maximum log size (KB)" to at minimum "Enabled:32768".

Templates -> Windows Components -> Event Log Service -> Security ->
Ensure the permissions on SYSVOL directory do not allow greater than
read & execute for standard user accounts or groups. The defaults below
meet this requirement.
Type - Allow
Principal - Authenticated Users
Access - Read & execute
Applies to - This folder, subfolder and files
Type - Allow
Principal - Server Operators
Access - Read & execute
Applies to - This folder, subfolder and files
Type - Allow
Principal - Administrators
Access - Special
Applies to - This folder only
(Access - Special - Basic Permissions: all selected except Full control)
Type - Allow
Principal - CREATOR OWNER
Access - Full control
Applies to - Subfolders and files only
Type - Allow
Access - Full control
Applies to - Subfolders and files only
Type - Allow
Principal - SYSTEM
Access - Full
Configure thecontrol
policy value for Computer Configuration -> Administrative
Templates -> Windows Components -> Event Log Service -> System ->
EMET 4.0
Templates -> Windows Components -> EMET -> "Default Protections for
Recommended Software" to "Enabled".
The Enhanced Mitigation Experience Toolkit must be installed on the

system and the administrative template files added to make this setting
available.
EMET 4.0
Popular Software" to "Enabled".

available.
Templates -> Windows Components -> Windows Update -> "Configure
Automatic Updates" to "Disabled".
If the site is using a DoD WSUS server to distribute software updates, the
policy setting to configure the WSUS URL is Computer Configuration ->
Administrative Templates -> Windows Components -> Windows Update ->
"Specify intranet Microsoft update service location".

Templates -> Windows Components -> EMET -> "System SEHOP" to
"Enabled" with "Application Opt Out" selected.

available.
Document applications that do not function properly due to this setting,

and are opted out, with the IAO.
Opted out exceptions can be configured with the following command:

EMET_Conf --Set "application path\executable name" -SEHOP

(WinRM) -> WinRM Service -> "Allow unencrypted traffic" to "Disabled".

(WinRM) -> WinRM Service -> "Allow Basic authentication" to "Disabled".

(WinRM) -> WinRM Client -> "Disallow Digest authentication" to
"Enabled".

(WinRM) -> WinRM Client -> "Allow unencrypted traffic" to "Disabled".

(WinRM) -> WinRM Client -> "Allow Basic authentication" to "Disabled".

Templates -> Windows Components -> Windows Media Player -> "Prevent
Automatic Updates" to "Enabled".
Windows Media Player is not installed by default. If it is not installed, this

is NA.
Templates -> Windows Components -> Windows Media Player -> "Do Not
Show First Use Dialog Boxes" to "Enabled".
Windows Media Player is not installed by default. If it is not installed, this

is NA.

Templates -> Windows Components -> Windows Media Digital Rights
Management -> "Prevent Windows Media DRM Internet Access" to
"Enabled".
Configure the policy value in the Default Domain Policy for Computer
Configuration -> Policies -> Windows Settings -> Security Settings ->
Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket"
to a maximum of 10 hours, but not 0 which equates to "Ticket doesn't
expire".

Properties (this link will be in the right pane) -> Private Profile Tab ->
"Yes (default)".

"Microsoft network client: Digitally sign communications (always)" to
"Enabled".

"Microsoft network client: Digitally sign communications (if server
agrees)" to "Enabled".

"Interactive logon: Smart card removal behavior" to "Lock Workstation" or
"Force Logoff".
"Interactive Logon: Number of previous logons to cache (in case domain
controller is not available)" to "4" logons or less.

"Interactive Logon: Prompt user to change password before expiration" to
"14" days or more.

"Interactive Logon: Message text for users attempting to log on" to the
following:
You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent
to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for

purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are
subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access

controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to

PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.

"Interactive Logon: Message title for users attempting to log on" to "DoD
Notice and Consent Banner", "US Department of Defense Warning
Statement", or a site-defined equivalent.
If a site-defined title is used, it can in no case contravene or modify the

language of the banner text required in V-1089.
If BitLocker is enabled for the OS volumes, configure the policy value for
Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> Security Options -> "Interactive logon: Machine account lockout
threshold" to "10" invalid logon attempts.

"Interactive logon: Machine inactivity limit" to "900" seconds" or less.

Templates -> System -> Device Installation -> "Allow remote access to the
Plug and Play interface" to "Disabled".
Templates -> System -> "Specify settings for optional component
installation and component repair" to "Enabled" and with "Never attempt
to download payload from Windows Update" selected.

Templates -> Network -> Windows Connect Now -> "Prohibit Access of the
Windows Connect Now wizards" to "Enabled".

Templates -> Network -> Windows Connect Now -> "Configuration of
wireless settings using Windows Connect Now" to "Disabled".

Templates -> Network -> TCPIP Settings -> Parameters -> "Set IP Stateless
Autoconfiguration Limits State" to "Enabled".
"Set Teredo State" to "Enabled: Disabled State".

Templates -> Printers -> "Extend Point and Print connection to search
Windows Update" to "Disabled".

State, "Firewall state" to "On (recommended)".

State, "Outbound connections" to "Allow (default)".

State, "Inbound connections" to "Block (default)".

Templates -> System -> Troubleshooting and Diagnostics -> Windows
Performance PerfTrack -> "Enable/Disable PerfTrack" to "Disabled".

"Network security: Allow PKU2U authentication requests to this computer
to use online identities" to "Disabled".

Templates -> System -> Troubleshooting and Diagnostics -> Microsoft
Support Diagnostic Tool -> "Microsoft Support Diagnostic Tool: Turn on
MSDT interactive communication with Support Provider" to "Disabled".

Templates -> System -> Troubleshooting and Diagnostics -> Scripted
Diagnostics -> "Troubleshooting: Allow users to access online
troubleshooting content on Microsoft servers from the Troubleshooting
Control Panel (via Windows Online Troubleshooting Service - WOTS)" to
"Disabled".

Templates -> System -> Remote Procedure Call -> "Restrict
Unauthenticated RPC clients" to "Enabled" and "Authenticated".

Templates -> System -> Troubleshooting and Diagnostics -> Application
Compatibility Diagnostics -> "Detect compatibility issues for applications
and drivers" to "Disabled".
V-14230).

System Audit Policies -> DS Access -> "Directory Service Access" with
"Failure" selected.

Templates -> System -> Remote Procedure Call -> "Enable RPC Endpoint
Mapper Client Authentication" to "Enabled.
Ensure files owned by users are stored on a different logical partition then
the directory server data files.
Account Policies -> Kerberos Policy -> "Maximum lifetime for user ticket
renewal" to a maximum of 7 days or less.

V-14230).

System Audit Policies -> DS Access -> "Directory Service Changes" with
"Success" selected.

System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Failure"
selected.
System Audit Policies -> Logon/Logoff -> "Audit Logoff" with "Success"
selected.

System Audit Policies -> Logon/Logoff -> "Audit Logon" with "Success"
selected.

"Network security: Allow LocalSystem NULL session fallback" to
"Disabled".
Ensure the Windows Time Service is configured as follows or install and

enable another time synchronization tool.
Registry Path:
\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1
Registry Path: \System\CurrentControlSet\Services\W32Time\

Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP or Allsync

"Network access: Sharing and security model for local accounts" to
"Classic - local users authenticate as themselves".

"Network security: Allow Local System to use computer identity for NTLM"
to "Enabled".
"Network security: Force logoff when logon hours expire" to "Enabled".

"Network security: LAN Manager authentication level" to "Send NTLMv2
response only. Refuse LM & NTLM".
The default configuration supports this requirement. If Kerberos

encryption types must be configured, ensure that the following are not
selected:
DES_CBC_CRC
DES_CBC_MD5
If the policy for Computer Configuration -> Windows Settings -> Security
Settings -> Local Policies -> Security Options -> "Network security:
Configure encryption types allowed for Kerberos" is configured, only the
following selections are allowed:
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types

"Network security: Do not store LAN Manager hash value on next
password change" to "Enabled".

"Network security: LDAP client signing requirements" to "Negotiate
signing" at a minimum.

"Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients" to "Require NTLMv2 session security" and
"Require 128-bit encryption" (all options selected).

Templates -> Windows Components -> Windows Installer -> "Always install
with elevated privileges" to "Disabled".
Templates -> Windows Components -> Windows Installer -> "Prevent
Internet Explorer security prompt for Windows Installer scripts" to
"Disabled".

Templates -> Windows Components -> Windows Error Reporting -> "Do
not send additional data" to "Enabled".
Templates -> Windows Components -> Windows Installer -> "Allow user
control over installs" to "Disabled".
Templates -> Windows Components -> Windows Error Reporting ->
"Disable Logging" to "Disabled".

"Replace a process level token" to only include the following accounts or
groups:
Local Service
Network Service

Templates -> Windows Components -> Store -> "Turn off the Store
application" to "Enabled".
The Windows Store is not installed by default. If the

\Windows\WindowsStore directory does not exist, this is NA.

Templates -> Windows Components -> Windows Defender -> "Configure
Microsoft Active Protection Service Reporting " to "Disabled".

"Modify firmware environment values" to only include the following
accounts or groups:
Administrators

"Perform volume maintenance tasks" to only include the following
accounts or groups:
Administrators

"Profile single process" to only include the following accounts or groups:
Administrators
"Profile system performance" to only include the following accounts or
groups:
Administrators
NT Service\WdiServiceHost

"Log on as a batch job" to only include the following accounts or groups:
Administrators

"Manage auditing and security log" to only include the following accounts
or groups:
Administrators

Templates -> Windows Components -> Windows Logon Options -> "Report
when logon server was not available during user logon" to "Enabled".

Templates -> Windows Components -> Event Log Service -> Setup ->

"Deny access to this computer from the network" to include the following:
Guests Group

Properties (this link will be in the right pane) -> Private Profile Tab -> State,
"Outbound connections" to "Allow (default)".

Templates -> System -> Device Installation -> "Prevent device metadata
retrieval from internet" to "Enabled".
Templates -> System -> Device Installation -> "Prevent Windows from
sending an error report when a device driver requests additional software
during installation" to "Enabled".

Templates -> System -> Device Installation -> "Do not send a Windows
error report when a generic driver is installed on a device" to "Enabled".

Templates -> System -> Device Installation -> "Prevent creation of a system
restore point during device activity that would normally prompt creation
of a restore point" to "Disabled".

Templates -> System -> Driver Installation -> "Turn off Windows Update
device driver search prompt" to "Enabled".

Templates -> System -> Early Launch Antimalware -> "Boot-Start Driver
Initialization Policy" to "Enabled" with "Good and Unknown" selected.

Templates -> System -> Device Installation -> "Specify search order for
device driver source locations" to "Enabled: Do not search Windows
Update".

Templates -> System -> Device Installation -> "Specify the search server for
device driver updates" to "Enabled" with "Search Managed Server"
selected.

Templates -> System -> Group Policy -> "Configure registry policy
processing" to "Enabled" and select the option "Process even if the Group
Policy objects have not changed".

Templates -> System -> Group Policy -> "Turn off background refresh of
Group Policy" to "Disabled".

Templates -> Windows Components -> Windows Installer -> "Prohibit non-
administrators from applying vendor signed updates" to "Enabled".
"Load and unload device drivers" to only include the following accounts or
groups:
Administrators

"Modify an object label" to be defined but containing no entries (blank).

Templates -> Windows Components -> File Explorer -> "Configure
Windows SmartScreen" to "Enabled" with "Turn off SmartScreen"
selected.

Templates -> Windows Components -> File Explorer -> "Turn off Data
Execution Prevention for Explorer" to "Disabled".
Maintain the default permissions for the system drive's root directory and
configure the Security Option: "Network access: Let everyone permissions
apply to anonymous users" to "Disabled" (V-3377).
Default Permissions
C:\
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
SYSTEM - Full control - This folder, subfolders and files

Administrators - Full control - This folder, subfolders and files
Users - Read & execute - This folder, subfolders and files
Users - Create folders / append data - This folder and subfolders
Users - Create files / write data - Subfolders only
CREATOR OWNER - Full Control - Subfolders and files only
Maintain the default permissions for the program file directories and
configure the Security Option: "Network access: Let everyone permissions
apply to anonymous users" to "Disabled" (V-3377).
Default Permissions:
\Program Files and \Program Files (x86)
TrustedInstaller - Full control - This folder and subfolders

SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and
files
Format all partitions/drives to use NTFS.
Install DoD-approved virus scanning software.
Configure the antivirus program to update the signature file at least every
7 days. More frequent (daily) updates are recommended.
Configure the audit settings for Group Policy objects to include the
following.
Type - Fail
Applies to - This object and all descendant objects
The three Success types listed below are defaults inherited from the
Parent Object. Where Special is listed in the summary screens for Access,
detailed Permissions are provided for reference, various Properties
selections may also exist by default.
Type - Success
Access - Special
Inherited from - Parent Object
Applies to - Descendant Organization Unit Objects
(Access - Special = Permissions: Write all properties, Modify permissions)

Type - Success
Access - (blank)
Inherited from - Parent Object
Applies to - Descendant Organization Unit Objects
Update the system to a supported release or service pack level.
Application of new service packs must be thoroughly tested before

deploying in a production environment.
Maintain the default file ACLs and configure the Security Option: "Network
access: Let everyone permissions apply to anonymous users" to "Disabled"
(V-3377).
Default Permissions:
TrustedInstaller - Full control - This folder and subfolders

SYSTEM - Modify - This folder only
SYSTEM - Full control - Subfolders and files only
Administrators - Modify - This folder only
Administrators - Full control - Subfolders and files only
CREATOR OWNER - Full control - Subfolders and files only
ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and
files
Install password complexity software and configure it to enforce the

required DoD standards of a case sensitive mix of at least one of each of
uppercase letters, lowercase letters, numbers, and special characters.
If the enpasflt password filter is used:
-Copy the appropriate version to %systemroot%\system32.

-Add the file name (e.g., "EnPasFltV2x86") to the "Notification Packages"
value under registry key "HKLM\System\CurrentControlSet\Control\LSA".
-Restart the system.

System Audit Policies -> Account Logon -> "Audit Credential Validation"
with "Success" selected.

System Audit Policies -> Account Logon -> "Audit Credential Validation"
Obtain a server certificate for the domain controller.
Ensure the permissions on Group Policy objects do not allow greater than
Read and Apply group policy for standard user accounts our groups. The
defaults below meet this requirement.
CREATOR OWNER - Special permissions
Authenticated Users - Read, Apply group policy, Special permissions

The Special permissions for Authenticated Users are for Read type
Properties.
SYSTEM - Read, Write, Create all child objects, Delete all child objects,
Special permissions
Domain Admins - Read, Write, Create all child objects, Delete all child
objects, Special permissions
Enterprise Admins - Read, Write, Create all child objects, Delete all child
objects, Special permissions
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Document any other access permissions that allow the objects to be

updated with the IAO.

Templates -> Windows Components -> EMET -> "System DEP" to
"Enabled" with at least "Application Opt Out" selected.

available.
Document applications that do not function properly due to this setting,
and are opted out, with the IAO.
Opted out exceptions can be configured with the following command:

EMET_Conf --Set "application path\executable name" -DEP
Alternately, configure exceptions in System Properties:

Select "System" in Control Panel.
Select "Advanced system settings".
Click "Settings" in the "Performance" section.
Select the "Data Execution Prevention" tab.
Select "Turn on DEP for all programs and services except those I select:".
Applications that are opted out are configured in the window below this
selection.
Templates -> Windows Components -> File Explorer -> "Turn off shell
protocol protected mode" to "Disabled".
Templates -> Windows Components -> File Explorer -> "Turn off heap
termination on corruption" to "Disabled".
Remote Desktop Connection Client -> "Do not allow passwords to be
saved" to "Enabled".

Templates -> Windows Components -> Location and Sensors -> "Turn off
location" to "Enabled".
If location services are approved by the organization for a device, this must
be documented.

Remote Desktop Session Host -> Security -> "Always prompt for password
upon connection" to "Enabled".

Remote Desktop Session Host -> Device and Resource Redirection -> "Do
not allow drive redirection" to "Enabled".

(EnableICMPRedirect) Allow ICMP redirects to override OSPF generated
routes" to "Disabled".

(DisableIPSourceRouting) IP source routing protection level (protects
against packet spoofing)" to "Highest protection, source routing is
completely disabled".

"Add workstations to domain" to only include the following accounts or
groups:
Administrators
"Microsoft network server: Server SPN target name validation level" to
"Off".

"Microsoft network server: Disconnect clients when logon hours expire" to
"Enabled".

(DisableIPSourceRouting IPv6) IP source routing protection level (protects
against packet spoofing)" to "Highest protection, source routing is
completely disabled".

(AutoAdminLogon) Enable Automatic Logon (not recommended)" to
"Disabled".
Ensure no passwords are stored in the "DefaultPassword" registry value

noted below:

Registry Path: \Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\
Value Name: DefaultPassword

"Microsoft network server: Amount of idle time required before
suspending a session" to "15" minutes or less.

"Microsoft network client: Send unencrypted password to connect to
third-party SMB servers" to "Disabled".
"Microsoft network server: Digitally sign communications (if client
agrees)" to "Enabled".

"Microsoft network server: Digitally sign communications (always)" to
"Enabled".
Configuration -> Windows Settings -> Security Settings -> Account Policies
-> Kerberos Policy -> "Maximum tolerance for computer clock
synchronization" to a maximum of 5 minutes or less.
Ensure the permissions on NTDS database and log files are maintained as
follows.
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
(I) - permission inherited from parent container

(F) - full access

Logging (select Customize), "Logged successful connections" to "Yes".

"Increase scheduling priority" to only include the following accounts or
groups:
Administrators

Properties (this link will be in the right pane) -> Public Profile Tab -> State,
"Firewall state" to "On (recommended)".

Logging (select Customize), "Size limit (KB)" to "16,384" (or greater).


to "No".

%\system32\logfiles\firewall\privatefirewall.log".

Internet Explorer" to "Enabled".

available.

Templates -> Windows Components -> EMET -> "System ASLR" to
"Enabled" with "Application Opt-in" selected.

available.

Templates -> Windows Components -> Biometrics -> "Allow the use of
biometrics" to "Disabled".

Templates -> Windows Components -> AutoPlay Policies -> "Turn off
AutoPlay" to "Enabled:All Drives".
Templates -> Windows Components -> Credential User Interface ->
"Enumerate administrator accounts on elevation" to "Disabled".

Templates -> Windows Components -> Credential User Interface -> "Do
not display the password reveal button" to "Enabled".
Templates -> Windows Components -> Application Compatibility -> "Turn
off Inventory Collector" to "Enabled".

Templates -> Windows Components -> App Package Deployment ->
"Allow all trusted apps to install" to "Enabled".

Templates -> Windows Components -> AutoPlay Policies -> "Set the
default behavior for AutoRun" to "Enabled:Do not execute any autorun
commands".

Templates -> Windows Components -> AutoPlay Policies -> "Disallow
Autoplay for non-volume devices" to "Enabled".

Properties (this link will be in the right pane) -> Public Profile Tab ->
Logging (select Customize), "Size limit (KB)" to "16,384" (or greater).

%\system32\logfiles\firewall\publicfirewall.log".

Settings (select Customize) -> Rule merging, "Apply local firewall rules:" to
"No".

Settings (select Customize) -> Rule merging, "Apply local connection
security rules:" to "No".

to "No".

"Yes (default)".

"Outbound connections" to "Allow (default)".

"Inbound connections" to "Block (default)".

"Inbound connections" to "Block (default)".

Logging (select Customize), "Logged successful connections" to "Yes".

Configure the audit settings for RID Manager$ object to include the
following.
Type - Fail
Type - Success
Access - Special
(Access - Special = Write all properties, All extended writes, Change RID
master)

Type - Success
Access - (blank)

System Audit Policies -> Account Management -> "Audit User Account
Management" with "Success" selected.
Configure the audit settings for Domain object to include the following.
Type - Fail

Type - Success
Access - (blank)
Applies to - Special
Type - Success
Principal - Domain Users
Access - All extended rights
Type - Success
Access - All extended rights
Type - Success
Access - Special
(Access - Special = Permissions: Write all properties, Modify permissions,
Modify owner.)
System Audit Policies -> Account Management -> "Audit Computer
Account Management" with "Failure" selected.

System Audit Policies -> Account Management -> "Audit Security Group
Management" with "Success" selected.
System Audit Policies -> Account Management -> "Audit Other Account
Management Events" with "Failure" selected.

System Audit Policies -> Logon/Logoff -> "Audit Special Logon" with
"Success" selected.
Create the necessary documentation that identifies the members of the

Administrators group.

System Audit Policies -> Object Access -> "Audit Central Access Policy
Staging" with "Success" selected.

"Enable computer and user accounts to be trusted for delegation" to only
include the following accounts or groups:
Administrators

"Recovery console: Allow automatic administrative logon" to "Disabled".

"Network security: Minimum session security for NTLM SSP based
(including secure RPC) servers" to "Require NTLMv2 session security" and
"Require 128-bit encryption" (all options selected).
"Shutdown: Allow system to be shutdown without having to log on" to
"Disabled".

"Recovery console: Allow floppy copy and access to all drives and folders"
to "Disabled".

objects: Require case insensitivity for non-Windows subsystems" to
"Enabled".

cryptography: Use FIPS compliant algorithms for encryption, hashing, and
signing" to "Enabled".
Account Policies -> Kerberos Policy -> "Enforce user logon restrictions" to
"Enabled".

objects: Strengthen default permissions of internal system objects (e.g.
Symbolic Links)" to "Enabled".

Account Control: Behavior of the elevation prompt for standard users" to
"Automatically deny elevation requests".

Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode" to "Prompt for consent".
More secure options for this setting would also be acceptable (e.g.,
Prompt for credentials, Prompt for consent (or credentials) on the secure
desktop).

"Domain controller: Refuse machine account password changes" to
"Disabled".

Templates -> Windows Components -> RSS Feeds -> "Prevent downloading
of enclosures" to "Enabled".
Remote Desktop Session Host -> Temporary Folders -> "Do not use
temporary folders per session" to "Disabled".

"Lock pages in memory" to be defined but containing no entries (blank).

Templates -> Windows Components -> RSS Feeds -> "Turn on Basic feed
authentication over HTTP" to "Disabled".
Remote Desktop Session Host -> Session Time Limits -> "Set time limit for
active but idle Remote Desktop Services sessions" to "Enabled", and the
"Idle session limit" to 15 minutes or less, excluding "0", which equates to
"Never".

Remote Desktop Session Host -> Security -> "Set client connection
encryption level" to "Enabled" and "High Level".

Remote Desktop Session Host -> Temporary Folders -> "Do not delete
temp folder upon exit" to "Disabled".

Remote Desktop Session Host -> Session Time Limits -> "Set time limit for
disconnected sessions" to "Enabled", and "End a disconnected session" to
"1 minute".

"Force shutdown from a remote system" to only include the following
accounts or groups:
Administrators

Templates -> Windows Components -> Store -> "Turn off Automatic
Download of updates" to "Enabled".

"Increase a process working set" to only include the following accounts or
groups:
Administrators
Local Service
Window Manager\Window Manager Group

"Impersonate a client after authentication" to only include the following
accounts or groups:
Administrators
Service
Local Service
Network Service

"Generate security audits" to only include the following accounts or
groups:
Local Service
Network Service
Replace unauthorized certificates associated with user accounts with ones

issued by the DoD PKI or an approved External Certificate Authority.
Configure the audit settings for Domain Controllers OU object to include
the following.
Type - Fail
Type - Success
Access - Special
(Access - Special = Permissions: all create, delete and modify permissions)
Type - Success
Access - Write all properties
Applies to - This object and all descendant objects

Type - Success
Access - (blank)
Applies to - Descendant Organizational Unit objects

"Access this computer from the network" to only include the following
accounts or groups:
Administrators
Authenticated Users
Enterprise Domain Controllers
Ensure only Read permissions are assigned to standard user accounts and
groups for the following registry key. The default configuration satisfies
this requirement.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
Configure the following registry value:

Registry Path:
\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: LocalAccountTokenFilterPolicy
Type: REG_DWORD
Value: 0
Ensure only Read permissions are assigned to standard user accounts and
groups for the following registry keys. The default configuration satisfies
this requirement.
All systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components
64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active
Setup\Installed Components
Ensure the system is configured to prevent anonymous users from gaining

access to the registry. Maintain the default permissions of the following
registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeSe
rvers\Winreg\
Administrators - Full
Backup Operators - Read(QENR)
Local Service - Read
Account Policies -> Kerberos Policy -> "Maximum lifetime for service
ticket" to a maximum of 600 minutes, but not 0 which equates to "Ticket
doesn't expire".

Communication settings -> "Turn off Automatic Root Certificates Update"
to "Enabled".

Communication settings -> "Turn off access to the Store" to "Enabled".


Communication settings -> "Turn off Event Viewer "Events.asp" links" to
"Enabled".
Communication settings -> "Turn off downloading of print drivers over
HTTP" to "Enabled".

Communication settings -> "Turn off handwriting recognition error
reporting" to "Enabled".

Communication settings -> "Turn off Internet download for Web
publishing and online ordering wizards" to "Enabled".

Communication settings -> "Turn off Internet Connection Wizard if URL
connection is referring to Microsoft.com" to "Enabled".

Communication settings -> "Turn off printing over HTTP" to "Enabled".

Communication settings -> "Turn off Internet File Association service" to
"Enabled".
Remove additional roles or applications such as web, database, and email

from the domain controller.
"Deny log on as a batch job" to include the following:
Guests Group
Ensure all accounts are configured to require passwords to gain access.
The password required flag can be set by entering the following on a

command line: "Net user <account_name> /passwordreq:yes".
Regularly review accounts to determine if they are still active. Remove or

disable accounts that have not been used in the last 35 days.
Implement a tool to compare system files (e.g., *.exe, *.bat, *.com, *.cmd,
and *.dll) on servers against a baseline on a weekly basis.
Configure all passwords to expire. Ensure "Password never expires" is not
checked on any accounts. Document any exceptions with the IAO.
Establish site policy to register all virtual guest operating systems as

separate assets in a vulnerability and asset management system.
Ensure Windows Server 2012 is the only operating system installed for the
system to boot into. Remove alternate operating systems.
Configure domain-joined systems to restrict the existence of local user
accounts. Remove any unauthorized local accounts.
Configure the permissions on shared printers to restrict standard users to

only have Print permissions. This is typically given through the Everyone
group by default.
Deploy the McAfee Agent as detailed in accordance with the DoD HBSS
STIG.
If a share is required on a system, configure the share and NTFS
permissions to limit access to the specific groups or accounts that require
it.
Remove any unnecessary nonsystem-created shares.

Communication Settings -> "Turn off Help Ratings" to "Enabled".

Templates -> Windows Components -> Attachment Manager -> "Do not
preserve zone information in file attachments" to "Disabled".
Templates -> Start Menu and Taskbar -> Notifications -> "Turn off toast
notifications on the lock screen" to "Enabled".
Communication Settings -> "Turn off Help Experience Improvement
Program" to "Enabled".

Templates -> Control Panel -> Personalization -> "Prevent changing screen
saver" to "Enabled".

Templates -> Start Menu and Taskbar -> Notifications -> "Turn off
notifications network usage" to "Enabled".
Templates -> Control Panel -> Personalization -> "Force specific screen
saver" to "Enabled" with "scrnsave.scr" specified as the screen saver
executable name.

Templates -> Control Panel -> Personalization -> "Password protect the
screen saver" to "Enabled".

"Firewall state" to "On (recommended)".

Templates -> Control Panel -> Personalization -> "Enable Screen Saver" to
"Enabled".
Establish a site policy to prohibit the use of applications that access the
Internet, such as web browsers, or with potential Internet sources, such as
email, by administrative user accounts. Ensure the policy is enforced.
Ensure that each member of the Backup Operators group has separate
accounts for backup functions and standard user functions. Create the
necessary documentation that identifies the members of the Backup
Operators group.
Access the system's BIOS or system controller. Set a

supervisor/administrator password if one has not been set. Disable a user-
level password if one has been set.
Configure the system to use a boot loader installed on fixed media.

System Audit Policies -> Account Management -> "Audit Computer
Account Management" with "Success" selected.
Ensure servers are located in secure, access-controlled areas.
Establish site policy that requires SAs be trained for all operating systems
running on systems under their control.
Define a policy that requires the default administrator passwords to be

changed at least annually or when any member of the administrative team
leaves the organization. Ensure the policy is implemented.

System Audit Policies -> Account Management -> "Audit Other Account
Management Events" with "Success" selected.
Ensure each user with administrative privileges has a separate account for
user duties and one for privileged duties.
"Deny log on as a service" to include no entries (blank):

System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with
"Success" selected.

System Audit Policies -> Policy Change -> "Audit Audit Policy Change" with
"Failure" selected.

System Audit Policies -> Policy Change -> "Audit Authentication Policy
Change" with "Success" selected.

System Audit Policies -> Object Access -> "Audit Registry" with "Failure"
selected.
System Audit Policies -> Object Access -> "Audit Removable Storage" with
"Success" selected.

System Audit Policies -> Object Access -> "Audit Removable Storage" with
"Failure" selected.

Windows Server 2012 Domain Controller - MSBS-Controls

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Server 2012 Domain Controller - MSBS-Controls

Uploaded by

Copyright:

Available Formats

Sr

2 The system must be configured to audit

3 The system must be configured to audit

4 The directory service must be configured

6 The system must be configured to audit

7 Audit policy using subcategories must be

8 The Deny log on through Remote Desktop

9 The built-in guest account must be

10 Local accounts with blank passwords must

11 The built-in administrator account must

12 The built-in guest account must be

14 The Deny log on locally user right on

15 Unauthorized accounts must not have the

16 Unauthorized accounts must not have the

17 Unauthorized accounts must not have the

18 Unauthorized accounts must not have the

20 Unauthorized accounts must not have the

21 Unauthorized accounts must not have the

22 The system must be configured to audit

23 Named pipes that can be accessed

24 Copying of user input methods to the

25 The classic logon screen must be required

26 Windows Registration Wizard must be

28 The Order Prints Online wizard must be

29 The file and folder Publish to Web option

30 Windows Messenger must be prevented

31 The Windows Customer Experience

32 The system must be configured to prevent

33 Windows must be prevented from using

34 The DoD Interoperability Root CA to DoD

35 The External CA root certificate must be

37 The Windows Remote Management

38 Global object access auditing of the

39 Global object access auditing of the file

40 The system must be configured to audit

41 The system must be configured to audit

43 If the time service is configured, it must

44 Domain controllers must require LDAP

45 Remote Assistance log files must be

46 The system must be configured to audit

47 The system must be configured to audit

49 The system must limit how many times

50 The system must generate an audit event

51 Separate, NSA-approved (Type 1)

52 The system must be configured to disable

53 The system must be configured to use

55 IPv6 TCP data retransmissions must be

56 The system must be configured to limit

57 IPSec exemptions must be limited.

58 The system must be configured to ignore

59 The Peer Networking Identity Manager

64 The Simple TCP/IP Services service must

67 Remote Desktop Services must limit users

68 Users must be prevented from mapping

69 Users must be prevented from mapping

70 The system must be configured to ensure

71 Users must be prevented from redirecting

72 Only the default client printer must be

73 The system must be configured to remove

75 The Active Directory Domain Controllers

76 The IP-HTTPS IPv6 transition technology

77 The ISATAP IPv6 transition technology

79 Domain users must be required to elevate