Microsoft Windows Server 2016 STIG V2R7

View as one page
STIG ID CCI Title
WN16-00-000010 CCI-000366 Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN16-00-000030 CCI-000199 Passwords for the built-in Administrator account must be changed at least every 60 days.
WN16-00-000040 CCI-000366 Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
WN16-00-000050 CCI-000366 Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN16-00-000060 CCI-000205 Manually managed application account passwords must be at least 15 characters in length.
WN16-00-000070 CCI-000366 Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN16-00-000080 CCI-000764 Shared user accounts must not be permitted on the system.
WN16-00-000090 CCI-001774 Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
WN16-00-000100 CCI-000366 Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN16-00-000110 CCI-000366 Systems must be maintained at a supported servicing level.
WN16-00-000120 CCI-000366 The Windows Server 2016 system must use an anti-virus program.
WN16-00-000140 CCI-000366 Servers must have a host-based intrusion detection or prevention system.
WN16-00-000150 CCI-000213 Local volumes must use a format that supports NTFS attributes.
WN16-00-000160 CCI-002165 Permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
WN16-00-000170 CCI-002165 Permissions for program file directories must conform to minimum requirements.
WN16-00-000180 CCI-002165 Permissions for the Windows installation directory must conform to minimum requirements.
WN16-00-000190 CCI-002235 Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN16-00-000200 CCI-000213 Non-administrative accounts or groups must only have print permissions on printer shares.
WN16-00-000210 CCI-000764 Outdated or unused accounts must be removed from the system or disabled.
WN16-00-000220 CCI-000764 Windows Server 2016 accounts must require passwords.
WN16-00-000230 CCI-000199 Passwords must be configured to expire.
WN16-00-000240 CCI-001744 System files must be monitored for unauthorized changes.
WN16-00-000250 CCI-001090 Non-system-created file shares on a system must limit access to groups that require it.
WN16-00-000270 CCI-000366 Software certificate installation files must be removed from Windows Server 2016.
WN16-00-000280 CCI-001199 Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
WN16-00-000290 CCI-002420 Protection methods such as TLS, encrypted VPNs, or IPsec must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
WN16-00-000300 CCI-000381 The roles and features required by the system must be documented.
WN16-00-000310 CCI-000366 A host-based firewall must be installed and enabled on the system.
WN16-00-000320 CCI-001233 Windows Server 2016 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).
WN16-00-000330 CCI-000016 Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours.
WN16-00-000340 CCI-001682 Windows Server 2016 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
WN16-00-000350 CCI-000381 The Fax Server role must not be installed.
WN16-00-000360 CCI-000382 The Microsoft FTP service must not be installed unless required.
WN16-00-000370 CCI-000381 The Peer Name Resolution Protocol must not be installed.
WN16-00-000380 CCI-000381 Simple TCP/IP Services must not be installed.
WN16-00-000390 CCI-000382 The Telnet Client must not be installed.
WN16-00-000400 CCI-000381 The TFTP Client must not be installed.
WN16-00-000410 CCI-000381 The Server Message Block (SMB) v1 protocol must be uninstalled.
WN16-00-000411 CCI-000381 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
WN16-00-000412 CCI-000381 The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
WN16-00-000420 CCI-000381 Windows PowerShell 2.0 must not be installed.
WN16-00-000430 CCI-000366 FTP servers must be configured to prevent anonymous logons.
WN16-00-000440 CCI-000366 FTP servers must be configured to prevent access to the system drive.
WN16-00-000450 CCI-001891 The time service must synchronize with an appropriate DoD time source.
WN16-00-000460 CCI-000366 Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2016.
WN16-00-000470 CCI-000366 Secure Boot must be enabled on Windows Server 2016 systems.
WN16-00-000480 CCI-000366 Windows 2016 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN16-AC-000010 CCI-002238 Windows 2016 account lockout duration must be configured to 15 minutes or greater.
WN16-AC-000020 CCI-000044 Windows Server 2016 must have the number of allowed bad logon attempts configured to three or less.
WN16-AC-000030 CCI-000044 Windows Server 2016 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN16-AC-000040 CCI-000200 Windows Server 2016 password history must be configured to 24 passwords remembered.
WN16-AC-000050 CCI-000199 Windows Server 2016 maximum password age must be configured to 60 days or less.
WN16-AC-000060 CCI-000198 Windows Server 2016 minimum password age must be configured to at least one day.
WN16-AC-000070 CCI-000205 Windows Server 2016 minimum password length must be configured to 14 characters.
WN16-AC-000080 CCI-000192 Windows Server 2016 must have the built-in Windows password complexity policy enabled.
WN16-AC-000090 CCI-000196 Windows Server 2016 reversible password encryption must be disabled.
WN16-AU-000010 CCI-001851 Audit records must be backed up to a different system or media than the system being audited.
WN16-AU-000020 CCI-001851 Windows Server 2016 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly.
WN16-AU-000030 CCI-000162 Permissions for the Application event log must prevent access by non-privileged accounts.
WN16-AU-000040 CCI-000162 Permissions for the Security event log must prevent access by non-privileged accounts.
WN16-AU-000050 CCI-000162 Permissions for the System event log must prevent access by non-privileged accounts.
WN16-AU-000060 CCI-001494 Event Viewer must be protected from unauthorized modification and deletion.
WN16-AU-000070 CCI-000172 Windows Server 2016 must be configured to audit Account Logon - Credential Validation successes.
WN16-AU-000080 CCI-000172 Windows Server 2016 must be configured to audit Account Logon - Credential Validation failures.
WN16-AU-000100 CCI-000172 Windows Server 2016 must be configured to audit Account Management - Other Account Management Events successes.
WN16-AU-000120 CCI-000018 Windows Server 2016 must be configured to audit Account Management - Security Group Management successes.
WN16-AU-000140 CCI-000018 Windows Server 2016 must be configured to audit Account Management - User Account Management successes.
WN16-AU-000150 CCI-000018 Windows Server 2016 must be configured to audit Account Management - User Account Management failures.
WN16-AU-000160 CCI-000172 Windows Server 2016 must be configured to audit Detailed Tracking - Plug and Play Events successes.
WN16-AU-000170 CCI-000172 Windows Server 2016 must be configured to audit Detailed Tracking - Process Creation successes.
WN16-AU-000230 CCI-000172 Windows Server 2016 must be configured to audit Logon/Logoff - Account Lockout failures.
WN16-AU-000240 CCI-000172 Windows Server 2016 must be configured to audit Logon/Logoff - Group Membership successes.
WN16-AU-000250 CCI-000067 Windows Server 2016 must be configured to audit Logon/Logoff - Logoff successes.
WN16-AU-000260 CCI-000067 Windows Server 2016 must be configured to audit Logon/Logoff - Logon successes.
WN16-AU-000270 CCI-000067 Windows Server 2016 must be configured to audit Logon/Logoff - Logon failures.
WN16-AU-000280 CCI-000172 Windows Server 2016 must be configured to audit Logon/Logoff - Special Logon successes.
WN16-AU-000285 CCI-000172 Windows 2016 must be configured to audit Object Access - Other Object Access Events successes.
WN16-AU-000286 CCI-000172 Windows 2016 must be configured to audit Object Access - Other Object Access Events failures.
WN16-AU-000290 CCI-000172 Windows Server 2016 must be configured to audit Object Access - Removable Storage successes.
WN16-AU-000300 CCI-000172 Windows Server 2016 must be configured to audit Object Access - Removable Storage failures.
WN16-AU-000310 CCI-000172 Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change successes.
WN16-AU-000320 CCI-000172 Windows Server 2016 must be configured to audit Policy Change - Audit Policy Change failures.
WN16-AU-000330 CCI-000172 Windows Server 2016 must be configured to audit Policy Change - Authentication Policy Change successes.
WN16-AU-000340 CCI-000172 Windows Server 2016 must be configured to audit Policy Change - Authorization Policy Change successes.
WN16-AU-000350 CCI-000172 Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
WN16-AU-000360 CCI-000172 Windows Server 2016 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
WN16-AU-000370 CCI-000172 Windows Server 2016 must be configured to audit System - IPsec Driver successes.
WN16-AU-000380 CCI-000172 Windows Server 2016 must be configured to audit System - IPsec Driver failures.
WN16-AU-000390 CCI-000172 Windows Server 2016 must be configured to audit System - Other System Events successes.
WN16-AU-000400 CCI-000172 Windows Server 2016 must be configured to audit System - Other System Events failures.
WN16-AU-000410 CCI-000172 Windows Server 2016 must be configured to audit System - Security State Change successes.
WN16-AU-000420 CCI-000172 Windows Server 2016 must be configured to audit System - Security System Extension successes.
WN16-AU-000440 CCI-000172 Windows Server 2016 must be configured to audit System - System Integrity successes.
WN16-AU-000450 CCI-000172 Windows Server 2016 must be configured to audit System - System Integrity failures.
WN16-CC-000010 CCI-000381 The display of slide shows on the lock screen must be disabled.
WN16-CC-000030 CCI-000381 WDigest Authentication must be disabled on Windows Server 2016.
WN16-CC-000040 CCI-000366 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN16-CC-000050 CCI-000366 Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN16-CC-000060 CCI-000366 Windows Server 2016 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN16-CC-000070 CCI-002385 Windows Server 2016 must be configured to ignore NetBIOS name release requests except from WINS servers.
WN16-CC-000080 CCI-000366 Insecure logons to an SMB server must be disabled.
WN16-CC-000090 CCI-000366 Hardened UNC paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN16-CC-000100 CCI-000135 Command line data must be included in process creation events.
WN16-CC-000110 CCI-000366 Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN16-CC-000140 CCI-000366 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN16-CC-000150 CCI-000366 Group Policy objects must be reprocessed even if they have not changed.
WN16-CC-000160 CCI-000381 Downloading print driver packages over HTTP must be prevented.
WN16-CC-000170 CCI-000381 Printing over HTTP must be prevented.
WN16-CC-000180 CCI-000381 The network selection user interface (UI) must not be displayed on the logon screen.
WN16-CC-000210 CCI-000366 Users must be prompted to authenticate when the system wakes from sleep (on battery).
WN16-CC-000220 CCI-000366 Users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN16-CC-000240 CCI-000381 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
WN16-CC-000250 CCI-001764 AutoPlay must be turned off for non-volume devices.
WN16-CC-000260 CCI-001764 The default AutoRun behavior must be configured to prevent AutoRun commands.
WN16-CC-000270 CCI-001764 AutoPlay must be disabled for all drives.
WN16-CC-000280 CCI-001084 Administrator accounts must not be enumerated during elevation.
WN16-CC-000290 CCI-000366 Windows Telemetry must be configured to Security or Basic.
WN16-CC-000300 CCI-001849 The Application event log size must be configured to 32768 KB or greater.
WN16-CC-000310 CCI-001849 The Security event log size must be configured to 196608 KB or greater.
WN16-CC-000320 CCI-001849 The System event log size must be configured to 32768 KB or greater.
WN16-CC-000330 CCI-000381 Windows Server 2016 Windows SmartScreen must be enabled.
WN16-CC-000340 CCI-002824 Explorer Data Execution Prevention must be enabled.
WN16-CC-000350 CCI-000366 Turning off File Explorer heap termination on corruption must be disabled.
WN16-CC-000360 CCI-000366 File Explorer shell protocol must run in protected mode.
WN16-CC-000370 CCI-002038 Passwords must not be saved in the Remote Desktop Client.
WN16-CC-000380 CCI-001090 Local drives must be prevented from sharing with Remote Desktop Session Hosts.
WN16-CC-000390 CCI-002038 Remote Desktop Services must always prompt a client for passwords upon connection.
WN16-CC-000400 CCI-001453 The Remote Desktop Session Host must require secure Remote Procedure Call (RPC) communications.
WN16-CC-000410 CCI-001453 Remote Desktop Services must be configured with the client connection encryption set to High Level.
WN16-CC-000420 CCI-000366 Attachments must be prevented from being downloaded from RSS feeds.
WN16-CC-000430 CCI-000381 Basic authentication for RSS feeds over HTTP must not be used.
WN16-CC-000440 CCI-000381 Indexing of encrypted files must be turned off.
WN16-CC-000450 CCI-001812 Users must be prevented from changing installation options.
WN16-CC-000460 CCI-001812 The Windows Installer Always install with elevated privileges option must be disabled.
WN16-CC-000470 CCI-000366 Users must be notified if a web-based program attempts to install software.
WN16-CC-000480 CCI-000366 Automatically signing in the last interactive user after a system-initiated restart must be disabled.
WN16-CC-000490 CCI-000135 PowerShell script block logging must be enabled.
WN16-CC-000500 CCI-000877 The Windows Remote Management (WinRM) client must not use Basic authentication.
WN16-CC-000510 CCI-002890 The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
WN16-CC-000520 CCI-000877 The Windows Remote Management (WinRM) client must not use Digest authentication.
WN16-CC-000530 CCI-000877 The Windows Remote Management (WinRM) service must not use Basic authentication.
WN16-CC-000540 CCI-002890 The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
WN16-CC-000550 CCI-002038 The Windows Remote Management (WinRM) service must not store RunAs credentials.
WN16-DC-000010 CCI-002235 Only administrators responsible for the domain controller must have Administrator rights on the system.
WN16-DC-000020 CCI-001941 Kerberos user logon restrictions must be enforced.
WN16-DC-000030 CCI-001941 The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
WN16-DC-000040 CCI-001941 The Kerberos user ticket lifetime must be limited to 10 hours or less.
WN16-DC-000050 CCI-001941 The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
WN16-DC-000060 CCI-001941 The computer clock synchronization tolerance must be limited to 5 minutes or less.
WN16-DC-000070 CCI-002235 Permissions on the Active Directory data files must only allow System and Administrators access.
WN16-DC-000080 CCI-002235 The Active Directory SYSVOL directory must have the proper access control permissions.
WN16-DC-000090 CCI-002235 Active Directory Group Policy objects must have proper access control permissions.
WN16-DC-000100 CCI-002235 The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN16-DC-000110 CCI-002235 Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN16-DC-000120 CCI-001090 Data files owned by users must be on a different logical partition from the directory server data files.
WN16-DC-000130 CCI-000381 Domain controllers must run on a machine dedicated to that function.
WN16-DC-000140 CCI-002450 Separate, NSA-approved (Type 1) cryptography must be used to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
WN16-DC-000150 CCI-000366 Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access.
WN16-DC-000160 CCI-001133 The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity.
WN16-DC-000170 CCI-000172 Active Directory Group Policy objects must be configured with proper audit settings.
WN16-DC-000180 CCI-000172 The Active Directory Domain object must be configured with proper audit settings.
WN16-DC-000190 CCI-000172 The Active Directory Infrastructure object must be configured with proper audit settings.
WN16-DC-000200 CCI-000172 The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
WN16-DC-000210 CCI-000172 The Active Directory AdminSDHolder object must be configured with proper audit settings.
WN16-DC-000220 CCI-000172 The Active Directory RID Manager$ object must be configured with proper audit settings.
WN16-DC-000230 CCI-000018 Windows Server 2016 must be configured to audit Account Management - Computer Account Management successes.
WN16-DC-000240 CCI-000172 Windows Server 2016 must be configured to audit DS Access - Directory Service Access successes.
WN16-DC-000250 CCI-000172 Windows Server 2016 must be configured to audit DS Access - Directory Service Access failures.
WN16-DC-000260 CCI-000172 Windows Server 2016 must be configured to audit DS Access - Directory Service Changes successes.
WN16-DC-000280 CCI-000185 Domain controllers must have a PKI server certificate.
WN16-DC-000290 CCI-000185 Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
WN16-DC-000300 CCI-000185 PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA).
WN16-DC-000310 CCI-000765 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
WN16-DC-000320 CCI-002418 Domain controllers must require LDAP access signing.
WN16-DC-000330 CCI-000366 Domain controllers must be configured to allow reset of machine account passwords.
WN16-DC-000340 CCI-000213 The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
WN16-DC-000350 CCI-002235 The Add workstations to domain user right must only be assigned to the Administrators group.
WN16-DC-000360 CCI-000213 The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.
WN16-DC-000370 CCI-000213 The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.
WN16-DC-000380 CCI-000213 The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.
WN16-DC-000390 CCI-000213 The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.
WN16-DC-000400 CCI-000213 The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.
WN16-DC-000410 CCI-002314 The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.
WN16-DC-000420 CCI-002235 The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers.
WN16-DC-000430 CCI-000366 The password for the krbtgt account on a domain must be reset at least every 180 days.
WN16-MS-000010 CCI-002235 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system.
WN16-MS-000020 CCI-001084 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
WN16-MS-000030 CCI-000381 Local users on domain-joined computers must not be enumerated.
WN16-MS-000040 CCI-001967 Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server.
WN16-MS-000050 CCI-000366 Caching of logon credentials must be limited.
WN16-MS-000120 CCI-000366 Windows Server 2016 must be running Credential Guard on domain-joined member servers.
WN16-MS-000310 CCI-002235 Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
WN16-MS-000340 CCI-000213 The "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on member servers.
WN16-MS-000370 CCI-000213 The "Deny access to this computer from the network" user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.
WN16-MS-000380 CCI-000213 The "Deny log on as a batch job" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
WN16-MS-000390 CCI-000213 The "Deny log on as a service" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.
WN16-MS-000400 CCI-000213 The "Deny log on locally" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.
WN16-MS-000410 CCI-002314 The "Deny log on through Remote Desktop Services" user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.
WN16-MS-000420 CCI-002235 The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers.
WN16-PK-000010 CCI-000185 The DoD Root CA certificates must be installed in the Trusted Root Store.
WN16-PK-000020 CCI-000185 The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
WN16-PK-000030 CCI-000185 The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems.
WN16-SO-000010 CCI-000804 Windows Server 2016 built-in guest account must be disabled.
WN16-SO-000020 CCI-000366 Local accounts with blank passwords must be restricted to prevent access from the network.
WN16-SO-000030 CCI-000366 Windows Server 2016 built-in administrator account must be renamed.
WN16-SO-000040 CCI-000366 Windows Server 2016 built-in guest account must be renamed.
WN16-SO-000050 CCI-000169 Audit policy using subcategories must be enabled.
WN16-SO-000080 CCI-002418 The setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
WN16-SO-000090 CCI-002418 The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled.
WN16-SO-000100 CCI-002418 The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
WN16-SO-000110 CCI-001967 The computer account password must not be prevented from being reset.
WN16-SO-000120 CCI-000366 The maximum age for machine account passwords must be configured to 30 days or less.
WN16-SO-000130 CCI-002418 Windows Server 2016 must be configured to require a strong session key.
WN16-SO-000140 CCI-000057 The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver.
WN16-SO-000150 CCI-000048 The required legal notice must be configured to display before console logon.
WN16-SO-000160 CCI-000048 The Windows dialog box title for the legal banner must be configured with the appropriate text.
WN16-SO-000180 CCI-000366 The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN16-SO-000190 CCI-002418 The setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
WN16-SO-000200 CCI-002418 The setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
WN16-SO-000210 CCI-000197 Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
WN16-SO-000230 CCI-002418 The setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
WN16-SO-000240 CCI-002418 The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
WN16-SO-000250 CCI-000366 Anonymous SID/Name translation must not be allowed.
WN16-SO-000260 CCI-000366 Anonymous enumeration of Security Account Manager (SAM) accounts must not be allowed.
WN16-SO-000270 CCI-001090 Anonymous enumeration of shares must not be allowed.
WN16-SO-000290 CCI-000366 Windows Server 2016 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN16-SO-000300 CCI-001090 Anonymous access to Named Pipes and Shares must be restricted.
WN16-SO-000320 CCI-000366 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN16-SO-000330 CCI-000366 NTLM must be prevented from falling back to a Null session.
WN16-SO-000340 CCI-000366 PKU2U authentication using online identities must be prevented.
WN16-SO-000350 CCI-000803 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
WN16-SO-000360 CCI-000196 Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
WN16-SO-000380 CCI-000366 The LAN Manager authentication level must be set to send NTLMv2 response only and to refuse LM and NTLM.
WN16-SO-000390 CCI-000366 Windows Server 2016 must be configured to at least negotiate signing for LDAP client signing.
WN16-SO-000400 CCI-000366 Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000410 CCI-000366 Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN16-SO-000420 CCI-000186 Users must be required to enter a password to access private keys stored on the computer.
WN16-SO-000430 CCI-000068 Windows Server 2016 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
WN16-SO-000450 CCI-000366 The default permissions of global system objects must be strengthened.
WN16-SO-000460 CCI-002038 User Account Control approval mode for the built-in Administrator must be enabled.
WN16-SO-000470 CCI-001084 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
WN16-SO-000480 CCI-001084 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.
WN16-SO-000490 CCI-002038 User Account Control must automatically deny standard user requests for elevation.
WN16-SO-000500 CCI-001084 User Account Control must be configured to detect application installations and prompt for elevation.
WN16-SO-000510 CCI-001084 User Account Control must only elevate UIAccess applications that are installed in secure locations.
WN16-SO-000520 CCI-002038 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
WN16-SO-000530 CCI-001084 User Account Control must virtualize file and registry write failures to per-user locations.
WN16-UC-000030 CCI-000366 Zone information must be preserved when saving attachments.
WN16-UR-000010 CCI-002235 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
WN16-UR-000030 CCI-002235 The Act as part of the operating system user right must not be assigned to any groups or accounts.
WN16-UR-000050 CCI-000213 The Allow log on locally user right must only be assigned to the Administrators group.
WN16-UR-000070 CCI-002235 The Back up files and directories user right must only be assigned to the Administrators group.
WN16-UR-000080 CCI-002235 The Create a pagefile user right must only be assigned to the Administrators group.
WN16-UR-000100 CCI-002235 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN16-UR-000110 CCI-002235 The Create permanent shared objects user right must not be assigned to any groups or accounts.
WN16-UR-000120 CCI-002235 The Create symbolic links user right must only be assigned to the Administrators group.
WN16-UR-000130 CCI-002235 The Debug programs user right must only be assigned to the Administrators group.
WN16-UR-000200 CCI-002235 The Force shutdown from a remote system user right must only be assigned to the Administrators group.
WN16-UR-000210 CCI-002235 The Generate security audits user right must only be assigned to Local Service and Network Service.
WN16-UR-000220 CCI-002235 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN16-UR-000230 CCI-002235 The Increase scheduling priority user right must only be assigned to the Administrators group.
WN16-UR-000240 CCI-002235 The Load and unload device drivers user right must only be assigned to the Administrators group.
WN16-UR-000250 CCI-002235 The Lock pages in memory user right must not be assigned to any groups or accounts.
WN16-UR-000260 CCI-000162 The Manage auditing and security log user right must only be assigned to the Administrators group.
WN16-UR-000270 CCI-002235 The Modify firmware environment values user right must only be assigned to the Administrators group.
WN16-UR-000280 CCI-002235 The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
WN16-UR-000290 CCI-002235 The Profile single process user right must only be assigned to the Administrators group.
WN16-UR-000090 CCI-002235 The Create a token object user right must not be assigned to any groups or accounts.
WN16-UR-000300 CCI-002235 The Restore files and directories user right must only be assigned to the Administrators group.
WN16-UR-000310 CCI-002235 The Take ownership of files or other objects user right must only be assigned to the Administrators group.
WN16-CC-000421 CCI-000366 The Windows Explorer Preview pane must be disabled for Windows Server 2016.
WN16-CC-000555 CCI-000134 Windows Server 2016 must have PowerShell Transcription enabled.