Microsoft Windows 11 STIG V1R6

View as one page
STIG ID CCI Title
WN11-00-000005 CCI-000366 Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.
WN11-00-000010 CCI-002421 Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.
WN11-00-000015 CCI-002421 Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN11-00-000020 CCI-002421 Secure Boot must be enabled on Windows 11 systems.
WN11-00-000025 CCI-001233 Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
WN11-00-000030 CCI-002475 Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
WN11-00-000031 CCI-002476 Windows 11 systems must use a BitLocker PIN for pre-boot authentication.
WN11-00-000032 CCI-000804 Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.
WN11-00-000035 CCI-001774 The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
WN11-00-000040 CCI-000366 Windows 11 systems must be maintained at a supported servicing level.
WN11-00-000045 CCI-000366 The Windows 11 system must use an antivirus program.
WN11-00-000050 CCI-000213 Local volumes must be formatted using NTFS.
WN11-00-000055 CCI-000366 Alternate operating systems must not be permitted on the same system.
WN11-00-000060 CCI-001090 Non-system-created file shares on a system must limit access to groups that require it.
WN11-00-000065 CCI-000172 Unused accounts must be disabled or removed from the system after 35 days of inactivity.
WN11-00-000070 CCI-002165 Only accounts responsible for the administration of a system must have Administrator rights on the system.
WN11-00-000075 CCI-000366 Only accounts responsible for the backup operations must be members of the Backup Operators group.
WN11-00-000080 CCI-002165 Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.
WN11-00-000085 CCI-000366 Standard local user accounts must not exist on a system in a domain.
WN11-00-000090 CCI-000199 Accounts must be configured to require password expiration.
WN11-00-000095 CCI-002165 Permissions for system files and directories must conform to minimum requirements.
WN11-00-000100 CCI-000381 Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
WN11-00-000105 CCI-000382 Simple Network Management Protocol (SNMP) must not be installed on the system.
WN11-00-000110 CCI-000381 Simple TCP/IP Services must not be installed on the system.
WN11-00-000115 CCI-000382 The Telnet Client must not be installed on the system.
WN11-00-000120 CCI-000382 The TFTP Client must not be installed on the system.
WN11-00-000130 CCI-000366 Software certificate installation files must be removed from Windows 11.
WN11-00-000135 CCI-000366 A host-based firewall must be installed and enabled on the system.
WN11-00-000140 CCI-000366 Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.
WN11-00-000145 CCI-002824 Data Execution Prevention (DEP) must be configured to at least OptOut.
WN11-00-000150 CCI-002824 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.
WN11-00-000155 CCI-000381 The Windows PowerShell 2.0 feature must be disabled on the system.
WN11-00-000160 CCI-000381 The Server Message Block (SMB) v1 protocol must be disabled on the system.
WN11-00-000165 CCI-000381 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
WN11-00-000170 CCI-000381 The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
WN11-00-000175 CCI-000381 The Secondary Logon service must be disabled on Windows 11.
WN11-00-000190 CCI-000366 Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.
WN11-00-000210 CCI-000381 Bluetooth must be turned off unless approved by the organization.
WN11-00-000220 CCI-000381 Bluetooth must be turned off when not in use.
WN11-00-000230 CCI-000366 The system must notify the user when a Bluetooth device attempts to connect.
WN11-00-000240 CCI-000366 Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN11-00-000250 CCI-001199 Windows 11 nonpersistent VM sessions must not exceed 24 hours.
WN11-00-000260 CCI-001891 The Windows 11 time service must synchronize with an appropriate DOD time source.
WN11-AC-000005 CCI-002238 Windows 11 account lockout duration must be configured to 15 minutes or greater.
WN11-AC-000010 CCI-000044 The number of allowed bad logon attempts must be configured to three or less.
WN11-AC-000015 CCI-000044 The period of time before the bad logon counter is reset must be configured to 15 minutes.
WN11-AC-000020 CCI-000200 The password history must be configured to 24 passwords remembered.
WN11-AC-000025 CCI-000199 The maximum password age must be configured to 60 days or less.
WN11-AC-000030 CCI-000198 The minimum password age must be configured to at least 1 day.
WN11-AC-000035 CCI-000205 Passwords must, at a minimum, be 14 characters.
WN11-AC-000040 CCI-000192 The built-in Microsoft password complexity filter must be enabled.
WN11-AC-000045 CCI-000196 Reversible password encryption must be disabled.
WN11-AU-000005 CCI-000172 The system must be configured to audit Account Logon - Credential Validation failures.
WN11-AU-000010 CCI-000172 The system must be configured to audit Account Logon - Credential Validation successes.
WN11-AU-000030 CCI-001914 The system must be configured to audit Account Management - Security Group Management successes.
WN11-AU-000035 CCI-001314 The system must be configured to audit Account Management - User Account Management failures.
WN11-AU-000040 CCI-001403 The system must be configured to audit Account Management - User Account Management successes.
WN11-AU-000045 CCI-000172 The system must be configured to audit Detailed Tracking - PNP Activity successes.
WN11-AU-000050 CCI-000172 The system must be configured to audit Detailed Tracking - Process Creation successes.
WN11-AU-000054 CCI-000172 The system must be configured to audit Logon/Logoff - Account Lockout failures.
WN11-AU-000060 CCI-000172 The system must be configured to audit Logon/Logoff - Group Membership successes.
WN11-AU-000065 CCI-000067 The system must be configured to audit Logon/Logoff - Logoff successes.
WN11-AU-000070 CCI-000172 The system must be configured to audit Logon/Logoff - Logon failures.
WN11-AU-000075 CCI-000172 The system must be configured to audit Logon/Logoff - Logon successes.
WN11-AU-000080 CCI-000172 The system must be configured to audit Logon/Logoff - Special Logon successes.
WN11-AU-000081 CCI-000172 Windows 11 must be configured to audit Object Access - File Share failures.
WN11-AU-000082 CCI-000172 Windows 11 must be configured to audit Object Access - File Share successes.
WN11-AU-000083 CCI-000172 Windows 11 must be configured to audit Object Access - Other Object Access Events successes.
WN11-AU-000084 CCI-000172 Windows 11 must be configured to audit Object Access - Other Object Access Events failures.
WN11-AU-000085 CCI-000172 The system must be configured to audit Object Access - Removable Storage failures.
WN11-AU-000090 CCI-000172 The system must be configured to audit Object Access - Removable Storage successes.
WN11-AU-000100 CCI-000172 The system must be configured to audit Policy Change - Audit Policy Change successes.
WN11-AU-000105 CCI-000172 The system must be configured to audit Policy Change - Authentication Policy Change successes.
WN11-AU-000107 CCI-000172 The system must be configured to audit Policy Change - Authorization Policy Change successes.
WN11-AU-000110 CCI-002234 The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.
WN11-AU-000115 CCI-000172 The system must be configured to audit Privilege Use - Sensitive Privilege Use successes.
WN11-AU-000120 CCI-000172 The system must be configured to audit System - IPsec Driver failures.
WN11-AU-000130 CCI-000172 The system must be configured to audit System - Other System Events successes.
WN11-AU-000135 CCI-000172 The system must be configured to audit System - Other System Events failures.
WN11-AU-000140 CCI-000172 The system must be configured to audit System - Security State Change successes.
WN11-AU-000150 CCI-000172 The system must be configured to audit System - Security System Extension successes.
WN11-AU-000155 CCI-000172 The system must be configured to audit System - System Integrity failures.
WN11-AU-000160 CCI-000172 The system must be configured to audit System - System Integrity successes.
WN11-AU-000500 CCI-001849 The Application event log size must be configured to 32768 KB or greater.
WN11-AU-000505 CCI-001849 The Security event log size must be configured to 1024000 KB or greater.
WN11-AU-000510 CCI-001849 The System event log size must be configured to 32768 KB or greater.
WN11-AU-000515 CCI-000162 Windows 11 permissions for the Application event log must prevent access by non-privileged accounts.
WN11-AU-000520 CCI-000162 Windows 11 permissions for the Security event log must prevent access by non-privileged accounts.
WN11-AU-000525 CCI-000162 Windows 11 permissions for the System event log must prevent access by non-privileged accounts.
WN11-AU-000550 CCI-000130 Windows 11 must be configured to audit Other Policy Change Events Successes.
WN11-AU-000555 CCI-000130 Windows 11 must be configured to audit Other Policy Change Events Failures.
WN11-AU-000560 CCI-000130 Windows 11 must be configured to audit other Logon/Logoff Events Successes.
WN11-AU-000565 CCI-000130 Windows 11 must be configured to audit other Logon/Logoff Events Failures.
WN11-AU-000570 CCI-000130 Windows 11 must be configured to audit Detailed File Share Failures.
WN11-AU-000575 CCI-000130 Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
WN11-AU-000580 CCI-000130 Windows 11 must be configured to audit MPSSVC Rule-Level Policy Change Failures.
WN11-CC-000005 CCI-000381 Camera access from the lock screen must be disabled.
WN11-CC-000007 CCI-000381 Windows 11 must cover or disable the built-in or attached camera when not in use.
WN11-CC-000010 CCI-000381 The display of slide shows on the lock screen must be disabled.
WN11-CC-000020 CCI-000366 IPv6 source routing must be configured to highest protection.
WN11-CC-000025 CCI-000366 The system must be configured to prevent IP source routing.
WN11-CC-000030 CCI-000366 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
WN11-CC-000035 CCI-002385 The system must be configured to ignore NetBIOS name release requests except from WINS servers.
WN11-CC-000037 CCI-001084 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
WN11-CC-000038 CCI-000381 WDigest Authentication must be disabled.
WN11-CC-000039 CCI-000381 Run as different user must be removed from context menus.
WN11-CC-000040 CCI-000366 Insecure logons to an SMB server must be disabled.
WN11-CC-000044 CCI-000381 Internet connection sharing must be disabled.
WN11-CC-000050 CCI-000366 Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN11-CC-000052 CCI-000803 Windows 11 must be configured to prioritize ECC Curves with longer key lengths first.
WN11-CC-000055 CCI-002418 Simultaneous connections to the internet or a Windows domain must be limited.
WN11-CC-000060 CCI-000366 Connections to non-domain networks when connected to a domain authenticated network must be blocked.
WN11-CC-000065 CCI-000366 Wi-Fi Sense must be disabled.
WN11-CC-000066 CCI-000135 Command line data must be included in process creation events.
WN11-CC-000068 CCI-000366 Windows 11 must be configured to enable Remote host allows delegation of non-exportable credentials.
WN11-CC-000070 CCI-000366 Virtualization-based Security must be enabled on Windows 11 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN11-CC-000075 CCI-000366 Credential Guard must be running on Windows 11 domain-joined systems.
WN11-CC-000080 CCI-000366 Virtualization-based protection of code integrity must be enabled.
WN11-CC-000085 CCI-000366 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
WN11-CC-000090 CCI-000366 Group Policy objects must be reprocessed even if they have not changed.
WN11-CC-000100 CCI-000381 Downloading print driver packages over HTTP must be prevented.
WN11-CC-000105 CCI-000381 Web publishing and online ordering wizards must be prevented from downloading a list of providers.
WN11-CC-000110 CCI-000381 Printing over HTTP must be prevented.
WN11-CC-000115 CCI-000366 Systems must at least attempt device authentication using certificates.
WN11-CC-000120 CCI-000381 The network selection user interface (UI) must not be displayed on the logon screen.
WN11-CC-000130 CCI-000381 Local users on domain-joined computers must not be enumerated.
WN11-CC-000145 CCI-002038 Users must be prompted for a password on resume from sleep (on battery).
WN11-CC-000150 CCI-002038 The user must be prompted for a password on resume from sleep (plugged in).
WN11-CC-000155 CCI-001090 Solicited Remote Assistance must not be allowed.
WN11-CC-000165 CCI-001967 Unauthenticated RPC clients must be restricted from connecting to the RPC server.
WN11-CC-000170 CCI-000366 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.
WN11-CC-000175 CCI-000381 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
WN11-CC-000180 CCI-001764 Autoplay must be turned off for non-volume devices.
WN11-CC-000185 CCI-001764 The default autorun behavior must be configured to prevent autorun commands.
WN11-CC-000190 CCI-001764 Autoplay must be disabled for all drives.
WN11-CC-000195 CCI-000366 Enhanced anti-spoofing for facial recognition must be enabled on Windows 11.
WN11-CC-000197 CCI-000381 Microsoft consumer experiences must be turned off.
WN11-CC-000200 CCI-001084 Administrator accounts must not be enumerated during elevation.
WN11-CC-000204 CCI-000366 Enhanced diagnostic data must be limited to the minimum required to support Windows Analytics.
WN11-CC-000205 CCI-001312 Windows Telemetry must not be configured to Full.
WN11-CC-000206 CCI-000366 Windows Update must not obtain updates from other PCs on the internet.
WN11-CC-000210 CCI-000381 The Microsoft Defender SmartScreen for Explorer must be enabled.
WN11-CC-000215 CCI-002824 Explorer Data Execution Prevention must be enabled.
WN11-CC-000220 CCI-002385 File Explorer heap termination on corruption must be disabled.
WN11-CC-000225 CCI-000366 File Explorer shell protocol must run in protected mode.
WN11-CC-000252 CCI-000381 Windows 11 must be configured to disable Windows Game Recording and Broadcasting.
WN11-CC-000255 CCI-000366 The use of a hardware security device with Windows Hello for Business must be enabled.
WN11-CC-000260 CCI-000366 Windows 11 must be configured to require a minimum pin length of six characters or greater.
WN11-CC-000270 CCI-002038 Passwords must not be saved in the Remote Desktop Client.
WN11-CC-000275 CCI-001090 Local drives must be prevented from sharing with Remote Desktop Session Hosts.
WN11-CC-000280 CCI-002038 Remote Desktop Services must always prompt a client for passwords upon connection.
WN11-CC-000285 CCI-001453 The Remote Desktop Session Host must require secure RPC communications.
WN11-CC-000290 CCI-000068 Remote Desktop Services must be configured with the client connection encryption set to the required level.
WN11-CC-000295 CCI-000366 Attachments must be prevented from being downloaded from RSS feeds.
WN11-CC-000300 CCI-000381 Basic authentication for RSS feeds over HTTP must not be used.
WN11-CC-000305 CCI-000381 Indexing of encrypted files must be turned off.
WN11-CC-000310 CCI-001812 Users must be prevented from changing installation options.
WN11-CC-000315 CCI-001812 The Windows Installer feature "Always install with elevated privileges" must be disabled.
WN11-CC-000320 CCI-000366 Users must be notified if a web-based program attempts to install software.
WN11-CC-000325 CCI-000366 Automatically signing in the last interactive user after a system-initiated restart must be disabled.
WN11-CC-000326 CCI-000135 PowerShell script block logging must be enabled on Windows 11.
WN11-CC-000327 CCI-000134 PowerShell Transcription must be enabled on Windows 11.
WN11-CC-000330 CCI-000877 The Windows Remote Management (WinRM) client must not use Basic authentication.
WN11-CC-000335 CCI-002890 The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
WN11-CC-000345 CCI-000877 The Windows Remote Management (WinRM) service must not use Basic authentication.
WN11-CC-000350 CCI-003123 The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
WN11-CC-000355 CCI-002038 The Windows Remote Management (WinRM) service must not store RunAs credentials.
WN11-CC-000360 CCI-000877 The Windows Remote Management (WinRM) client must not use Digest authentication.
WN11-CC-000365 CCI-000056 Windows 11 must be configured to prevent Windows apps from being activated by voice while the system is locked.
WN11-CC-000370 CCI-000381 The convenience PIN for Windows 11 must be disabled.
WN11-CC-000385 CCI-000060 Windows Ink Workspace must be configured to disallow access above the lock.
WN11-CC-000390 CCI-000381 Windows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications.
WN11-EP-000310 CCI-000172 Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled.
WN11-PK-000005 CCI-000185 The DoD Root CA certificates must be installed in the Trusted Root Store.
WN11-PK-000010 CCI-000185 The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems.
WN11-PK-000015 CCI-002470 The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
WN11-PK-000020 CCI-002470 The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
WN11-RG-000005 CCI-002235 Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN11-SO-000005 CCI-000764 The built-in administrator account must be disabled.
WN11-SO-000010 CCI-000804 The built-in guest account must be disabled.
WN11-SO-000015 CCI-000366 Local accounts with blank passwords must be restricted to prevent access from the network.
WN11-SO-000020 CCI-000366 The built-in administrator account must be renamed.
WN11-SO-000025 CCI-000366 The built-in guest account must be renamed.
WN11-SO-000030 CCI-000169 Audit policy using subcategories must be enabled.
WN11-SO-000035 CCI-002418 Outgoing secure channel traffic must be encrypted or signed.
WN11-SO-000040 CCI-002418 Outgoing secure channel traffic must be encrypted.
WN11-SO-000045 CCI-002418 Outgoing secure channel traffic must be signed.
WN11-SO-000050 CCI-000366 The computer account password must not be prevented from being reset.
WN11-SO-000055 CCI-000366 The maximum age for machine account passwords must be configured to 30 days or less.
WN11-SO-000060 CCI-002418 The system must be configured to require a strong session key.
WN11-SO-000070 CCI-001133 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
WN11-SO-000075 CCI-000044 The required legal notice must be configured to display before console logon.
WN11-SO-000080 CCI-000048 The Windows message title for the legal notice must be configured.
WN11-SO-000085 CCI-000366 Caching of logon credentials must be limited.
WN11-SO-000095 CCI-000366 The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN11-SO-000100 CCI-002418 The Windows SMB client must be configured to always perform SMB packet signing.
WN11-SO-000110 CCI-000197 Unencrypted passwords must not be sent to third-party SMB Servers.
WN11-SO-000120 CCI-002418 The Windows SMB server must be configured to always perform SMB packet signing.
WN11-SO-000140 CCI-000366 Anonymous SID/Name translation must not be allowed.
WN11-SO-000145 CCI-000366 Anonymous enumeration of SAM accounts must not be allowed.
WN11-SO-000150 CCI-001090 Anonymous enumeration of shares must be restricted.
WN11-SO-000160 CCI-000366 The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
WN11-SO-000165 CCI-001090 Anonymous access to Named Pipes and Shares must be restricted.
WN11-SO-000167 CCI-002235 Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN11-SO-000180 CCI-000366 NTLM must be prevented from falling back to a Null session.
WN11-SO-000185 CCI-000366 PKU2U authentication using online identities must be prevented.
WN11-SO-000190 CCI-000803 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
WN11-SO-000195 CCI-000196 The system must be configured to prevent the storage of the LAN Manager hash of passwords.
WN11-SO-000205 CCI-000366 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
WN11-SO-000210 CCI-000366 The system must be configured to the required LDAP client signing level.
WN11-SO-000215 CCI-000366 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
WN11-SO-000220 CCI-000366 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
WN11-SO-000230 CCI-002450 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
WN11-SO-000240 CCI-000366 The default permissions of global system objects must be increased.
WN11-SO-000245 CCI-002038 User Account Control approval mode for the built-in Administrator must be enabled.
WN11-SO-000250 CCI-001084 User Account Control must prompt administrators for consent on the secure desktop.
WN11-SO-000251 CCI-000765 Windows 11 must use multifactor authentication for local and network access to privileged and nonprivileged accounts.
WN11-SO-000255 CCI-002038 User Account Control must automatically deny elevation requests for standard users.
WN11-SO-000260 CCI-001084 User Account Control must be configured to detect application installations and prompt for elevation.
WN11-SO-000265 CCI-001084 User Account Control must only elevate UIAccess applications that are installed in secure locations.
WN11-SO-000270 CCI-002038 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
WN11-SO-000275 CCI-001084 User Account Control must virtualize file and registry write failures to per-user locations.
WN11-SO-000280 CCI-000199 Passwords for enabled local Administrator accounts must be changed at least every 60 days.
WN11-UC-000015 CCI-000381 Toast notifications to the lock screen must be turned off.
WN11-UC-000020 CCI-000366 Zone information must be preserved when saving attachments.
WN11-UR-000005 CCI-002235 The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
WN11-UR-000010 CCI-000213 The "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups.
WN11-UR-000015 CCI-002235 The "Act as part of the operating system" user right must not be assigned to any groups or accounts.
WN11-UR-000025 CCI-000213 The "Allow log on locally" user right must only be assigned to the Administrators and Users groups.
WN11-UR-000030 CCI-002235 The "Back up files and directories" user right must only be assigned to the Administrators group.
WN11-UR-000035 CCI-002235 The "Change the system time" user right must only be assigned to Administrators and Local Service.
WN11-UR-000040 CCI-002235 The "Create a pagefile" user right must only be assigned to the Administrators group.
WN11-UR-000045 CCI-002235 The "Create a token object" user right must not be assigned to any groups or accounts.
WN11-UR-000050 CCI-002235 The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN11-UR-000055 CCI-002235 The "Create permanent shared objects" user right must not be assigned to any groups or accounts.
WN11-UR-000060 CCI-002235 The "Create symbolic links" user right must only be assigned to the Administrators group.
WN11-UR-000065 CCI-002235 The "Debug programs" user right must only be assigned to the Administrators group.
WN11-UR-000070 CCI-000213 The "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
WN11-UR-000075 CCI-000213 The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
WN11-UR-000080 CCI-000213 The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
WN11-UR-000085 CCI-000213 The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
WN11-UR-000090 CCI-000213 The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.
WN11-UR-000095 CCI-002235 The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts.
WN11-UR-000100 CCI-002235 The "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
WN11-UR-000110 CCI-002235 The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN11-UR-000120 CCI-002235 The "Load and unload device drivers" user right must only be assigned to the Administrators group.
WN11-UR-000125 CCI-002235 The "Lock pages in memory" user right must not be assigned to any groups or accounts.
WN11-UR-000130 CCI-000162 The "Manage auditing and security log" user right must only be assigned to the Administrators group.
WN11-UR-000140 CCI-002235 The "Modify firmware environment values" user right must only be assigned to the Administrators group.
WN11-UR-000145 CCI-002235 The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
WN11-UR-000150 CCI-002235 The "Profile single process" user right must only be assigned to the Administrators group.
WN11-UR-000160 CCI-002235 The "Restore files and directories" user right must only be assigned to the Administrators group.
WN11-UR-000165 CCI-002235 The "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
WN11-CC-000391 CCI-000366 Internet Explorer must be disabled for Windows 11.
WN11-00-000395 CCI-000381 Windows 11 must not have portproxy enabled or in use.
WN11-AU-000585 CCI-002234 Windows 11 must have command line process auditing events enabled for failures.