Microsoft Windows Server 2025 STIG V1R1

View as one page
STIG IDTitle
WN25-00-000001Windows Server 2025 must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs).
WN25-00-000002Windows Server 2025 must prohibit the use or connection of unauthorized hardware components.
WN25-00-000010Windows Server 2025 users with administrative privileges must have separate accounts for administrative duties and normal operational tasks.
WN25-00-000020Windows Server 2025 passwords for the built-in Administrator account must be changed at least every 60 days.
WN25-00-000030Windows Server 2025 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.
WN25-00-000040Windows Server 2025 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
WN25-00-000050Windows Server 2025 manually managed application account passwords must be at least 15 characters in length.
WN25-00-000060Windows Server 2025 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
WN25-00-000070Windows Server 2025 shared user accounts must not be permitted.
WN25-00-000080Windows Server 2025 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
WN25-00-000090Windows Server 2025 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use.
WN25-00-000110Windows Server 2025 must use an antivirus program.
WN25-00-000120Windows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) installed.
WN25-00-000130Windows Server 2025 local volumes must use a format that supports New Technology File System (NTFS) attributes.
WN25-00-000140Windows Server 2025 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.
WN25-00-000150Windows Server 2025 permissions for program file directories must conform to minimum requirements.
WN25-00-000160Windows Server 2025 permissions for the Windows installation directory must conform to minimum requirements.
WN25-00-000170Windows Server 2025 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
WN25-00-000180Windows Server 2025 nonadministrative accounts or groups must only have print permissions on printer shares.
WN25-00-000190Outdated or unused accounts on Windows Server 2025 must be removed or disabled.
WN25-00-000200Windows Server 2025 accounts must require passwords.
WN25-00-000210Windows Server 2025 passwords must be configured to expire.
WN25-00-000220Windows Server 2025 system files must be monitored for unauthorized changes.
WN25-00-000230Windows Server 2025 nonsystem-created file shares must limit access to groups that require it.
WN25-00-000240Windows Server 2025 must have software certificate installation files removed.
WN25-00-000250Windows Server 2025 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
WN25-00-000260Windows Server 2025 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
WN25-00-000270Windows Server 2025 must have the roles and features required by the system documented.
WN25-00-000280Windows Server 2025 must have a host-based firewall installed and enabled.
WN25-00-000300Windows Server 2025 must automatically remove or disable temporary user accounts after 72 hours.
WN25-00-000310Windows Server 2025 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
WN25-00-000320Windows Server 2025 must not have the Fax Server role installed.
WN25-00-000330Windows Server 2025 must not have the Microsoft FTP service installed unless required by the organization.
WN25-00-000332Windows Server 2025 must not have Wi-Fi enabled unless required by the organization.
WN25-00-000333Windows Server 2025 must not have Bluetooth enabled unless required by the organization.
WN25-00-000340Windows Server 2025 must not have the Peer Name Resolution Protocol installed.
WN25-00-000350Windows Server 2025 must not have Simple TCP/IP Services installed.
WN25-00-000360Windows Server 2025 must not have the Telnet Client installed.
WN25-00-000370Windows Server 2025 must not have the TFTP Client installed.
WN25-00-000380Windows Server 2025 must not have the Server Message Block (SMB) v1 protocol installed.
WN25-00-000390Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.
WN25-00-000400Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.
WN25-00-000410Windows Server 2025 must not have Windows PowerShell 2.0 installed.
WN25-00-000420Windows Server 2025 FTP servers must be configured to prevent anonymous logons.
WN25-00-000430Windows Server 2025 FTP servers must be configured to prevent access to the system drive.
WN25-00-000440The Windows Server 2025 time service must synchronize with an appropriate DOD time source.
WN25-00-000450Windows Server 2025 must have orphaned security identifiers (SIDs) removed from user rights.
WN25-00-000460Windows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
WN25-00-000470Windows Server 2025 must have Secure Boot enabled.
WN25-AC-000010Windows Server 2025 account lockout duration must be configured to 15 minutes or greater.
WN25-AC-000020Windows Server 2025 must have the number of allowed bad logon attempts configured to three or less.
WN25-AC-000030Windows Server 2025 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater.
WN25-AC-000040Windows Server 2025 password history must be configured to 24 passwords remembered.
WN25-AC-000050Windows Server 2025 maximum password age must be configured to 60 days or less.
WN25-AC-000060Windows Server 2025 minimum password age must be configured to at least one day.
WN25-AC-000080Windows Server 2025 must have the built-in Windows password complexity policy enabled.
WN25-AC-000090Windows Server 2025 reversible password encryption must be disabled.
WN25-AU-000010Windows Server 2025 audit records must be backed up to a different system or media than the system being audited.
WN25-AU-000020Windows Server 2025 must, at a minimum, off-load audit records of interconnected systems in real time and off-load stand-alone or nondomain-joined systems weekly.
WN25-AU-000030Windows Server 2025 permissions for the Application event log must prevent access by nonprivileged accounts.
WN25-AU-000040Windows Server 2025 permissions for the Security event log must prevent access by nonprivileged accounts.
WN25-AU-000050Windows Server 2025 permissions for the System event log must prevent access by nonprivileged accounts.
WN25-AU-000060Windows Server 2025 Event Viewer must be protected from unauthorized modification and deletion.
WN25-AU-000070Windows Server 2025 must be configured to audit Account Logon - Credential Validation successes.
WN25-AU-000080Windows Server 2025 must be configured to audit Account Logon - Credential Validation failures.
WN25-AU-000090Windows Server 2025 must be configured to audit Account Management - Other Account Management Events successes.
WN25-AU-000100Windows Server 2025 must be configured to audit Account Management - Security Group Management successes.
WN25-AU-000110Windows Server 2025 must be configured to audit Account Management - User Account Management successes.
WN25-AU-000120Windows Server 2025 must be configured to audit Account Management - User Account Management failures.
WN25-AU-000130Windows Server 2025 must be configured to audit Detailed Tracking - Plug and Play Events successes.
WN25-AU-000140Windows Server 2025 must be configured to audit Detailed Tracking - Process Creation successes.
WN25-AU-000150Windows Server 2025 must be configured to audit Logon/Logoff - Account Lockout successes.
WN25-AU-000160Windows Server 2025 must be configured to audit Logon/Logoff - Account Lockout failures.
WN25-AU-000170Windows Server 2025 must be configured to audit Logon/Logoff - Group Membership successes.
WN25-AU-000180Windows Server 2025 must be configured to audit logoff successes.
WN25-AU-000190Windows Server 2025 must be configured to audit logon successes.
WN25-AU-000200Windows Server 2025 must be configured to audit logon failures.
WN25-AU-000210Windows Server 2025 must be configured to audit Logon/Logoff - Special Logon successes.
WN25-AU-000220Windows Server 2025 must be configured to audit Object Access - Other Object Access Events successes.
WN25-AU-000230Windows Server 2025 must be configured to audit Object Access - Other Object Access Events failures.
WN25-AU-000240Windows Server 2025 must be configured to audit Object Access - Removable Storage successes.
WN25-AU-000250Windows Server 2025 must be configured to audit Object Access - Removable Storage failures.
WN25-AU-000260Windows Server 2025 must be configured to audit Policy Change - Audit Policy Change successes.
WN25-AU-000270Windows Server 2025 must be configured to audit Policy Change - Audit Policy Change failures.
WN25-AU-000280Windows Server 2025 must be configured to audit Policy Change - Authentication Policy Change successes.
WN25-AU-000281Windows Server 2025 must be configured to audit Policy Change - Authorization Policy Change successes.
WN25-AU-000300Windows Server 2025 must be configured to audit Privilege Use - Sensitive Privilege Use successes.
WN25-AU-000310Windows Server 2025 must be configured to audit Privilege Use - Sensitive Privilege Use failures.
WN25-AU-000320Windows Server 2025 must be configured to audit System - IPsec Driver successes.
WN25-AU-000330Windows Server 2025 must be configured to audit System - IPsec Driver failures.
WN25-AU-000340Windows Server 2025 must be configured to audit System - Other System Events successes.
WN25-AU-000350Windows Server 2025 must be configured to audit System - Other System Events failures.
WN25-AU-000360Windows Server 2025 must be configured to audit System - Security State Change successes.
WN25-AU-000370Windows Server 2025 must be configured to audit System - Security System Extension successes.
WN25-AU-000380Windows Server 2025 must be configured to audit System - System Integrity successes.
WN25-AU-000390Windows Server 2025 must be configured to audit System - System Integrity failures.
WN25-CC-000010Windows Server 2025 must prevent the display of slide shows on the lock screen.
WN25-CC-000030Windows Server 2025 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing.
WN25-CC-000040Windows Server 2025 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing.
WN25-CC-000050Windows Server 2025 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
WN25-CC-000060Windows Server 2025 must be configured to ignore NetBIOS name release requests except from WINS servers.
WN25-CC-000070Windows Server 2025 insecure logons to an SMB server must be disabled.
WN25-CC-000080Windows Server 2025 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
WN25-CC-000090Windows Server 2025 command line data must be included in process creation events.
WN25-CC-000100Windows Server 2025 must be configured to enable Remote host allows delegation of nonexportable credentials.
WN25-CC-000110Windows Server 2025 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.
WN25-CC-000130Windows Server 2025 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad.
WN25-CC-000140Windows Server 2025 group policy objects must be reprocessed even if they have not changed.
WN25-CC-000150Windows Server 2025 downloading print driver packages over HTTP must be turned off.
WN25-CC-000160Windows Server 2025 printing over HTTP must be turned off.
WN25-CC-000170Windows Server 2025 network selection user interface (UI) must not be displayed on the logon screen.
WN25-CC-000180Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (on battery).
WN25-CC-000190Windows Server 2025 users must be prompted to authenticate when the system wakes from sleep (plugged in).
WN25-CC-000200Windows Server 2025 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
WN25-CC-000210Windows Server 2025 AutoPlay must be turned off for nonvolume devices.
WN25-CC-000220Windows Server 2025 default AutoRun behavior must be configured to prevent AutoRun commands.
WN25-CC-000230Windows Server 2025 AutoPlay must be disabled for all drives.
WN25-CC-000240Windows Server 2025 administrator accounts must not be enumerated during elevation.
WN25-CC-000250Windows Server 2025 Telemetry must be configured to limit diagnostic data sent to Microsoft.
WN25-CC-000260Windows Server 2025 Windows Update must not obtain updates from other PCs on the internet.
WN25-CC-000270Windows Server 2025 Application event log size must be configured to 32768 KB or greater.
WN25-CC-000280Windows Server 2025 Security event log size must be configured to 196608 KB or greater.
WN25-CC-000290Windows Server 2025 System event log size must be configured to 32768 KB or greater.
WN25-CC-000300Windows Server 2025 Microsoft Defender antivirus SmartScreen must be enabled.
WN25-CC-000310Windows Server 2025 Explorer Data Execution Prevention must be enabled.
WN25-CC-000320Windows Server 2025 Turning off File Explorer heap termination on corruption must be disabled.
WN25-CC-000330Windows Server 2025 File Explorer shell protocol must run in protected mode.
WN25-CC-000340Windows Server 2025 must not save passwords in the Remote Desktop Client.
WN25-CC-000350Windows Server 2025 Remote Desktop Services must prevent drive redirection.
WN25-CC-000360Windows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connection.
WN25-CC-000370Windows Server 2025 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications.
WN25-CC-000380Windows Server 2025 Remote Desktop Services must be configured with the client connection encryption set to High Level.
WN25-CC-000390Windows Server 2025 must prevent attachments from being downloaded from RSS feeds.
WN25-CC-000400Windows Server 2025 must disable Basic authentication for RSS feeds over HTTP.
WN25-CC-000410Windows Server 2025 must prevent Indexing of encrypted files.
WN25-CC-000420Windows Server 2025 must prevent users from changing installation options.
WN25-CC-000430Windows Server 2025 must disable the Windows Installer Always install with elevated privileges option.
WN25-CC-000440Windows Server 2025 users must be notified if a web-based program attempts to install software.
WN25-CC-000450Windows Server 2025 must disable automatically signing in the last interactive user after a system-initiated restart.
WN25-CC-000460Windows Server 2025 PowerShell script block logging must be enabled.
WN25-CC-000470Windows Server 2025 Windows Remote Management (WinRM) client must not use Basic authentication.
WN25-CC-000480Windows Server 2025 Windows Remote Management (WinRM) client must not allow unencrypted traffic.
WN25-CC-000490Windows Server 2025 Windows Remote Management (WinRM) client must not use Digest authentication.
WN25-CC-000500Windows Server 2025 Windows Remote Management (WinRM) service must not use Basic authentication.
WN25-CC-000510Windows Server 2025 Windows Remote Management (WinRM) service must not allow unencrypted traffic.
WN25-CC-000520Windows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials.
WN25-CC-000530Windows Server 2025 must have PowerShell Transcription enabled.
WN25-DC-000010Windows Server 2025 must only allow administrators responsible for the domain controller to have Administrator rights on the system.
WN25-DC-000020Windows Server 2025 Kerberos user logon restrictions must be enforced.
WN25-DC-000030Windows Server 2025 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
WN25-DC-000040Windows Server 2025 Kerberos user ticket lifetime must be limited to 10 hours or less.
WN25-DC-000050Windows Server 2025 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
WN25-DC-000060Windows Server 2025 computer clock synchronization tolerance must be limited to five minutes or less.
WN25-DC-000070Windows Server 2025 permissions on the Active Directory data files must only allow system administrators (SAs) access.
WN25-DC-000080Windows Server 2025 Active Directory SYSVOL directory must have the proper access control permissions.
WN25-DC-000090Windows Server 2025 Active Directory (AD) Group Policy Objects (GPOs) must have proper access control permissions.
WN25-DC-000100Windows Server 2025 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
WN25-DC-000110Windows Server 2025 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions.
WN25-DC-000120Windows Server 2025 data files owned by users must be on a different logical partition from the directory server data files.
WN25-DC-000130Windows Server 2025 domain controllers must run on a machine dedicated to that function.
WN25-DC-000140Windows Server 2025 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data.
WN25-DC-000150Windows Server 2025 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access.
WN25-DC-000160Windows Server 2025 directory service must be configured to terminate LDAP-based network connections to the directory server after five minutes of inactivity.
WN25-DC-000170Windows Server 2025 Active Directory Group Policy Objects (GPOs) must be configured with proper audit settings.
WN25-DC-000180Windows Server 2025 Active Directory (AD) Domain object must be configured with proper audit settings.
WN25-DC-000190Windows Server 2025 Active Directory (AD) Infrastructure object must be configured with proper audit settings.
WN25-DC-000200Windows Server 2025 Active Directory (AD) Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings.
WN25-DC-000210Windows Server 2025 Active Directory (AD) AdminSDHolder object must be configured with proper audit settings.
WN25-DC-000220Windows Server 2025 Active Directory (AD) RID Manager$ object must be configured with proper audit settings.
WN25-DC-000230Windows Server 2025 must be configured to audit Account Management - Computer Account Management successes.
WN25-DC-000240Windows Server 2025 must be configured to audit DS Access - Directory Service Access successes.
WN25-DC-000250Windows Server 2025 must be configured to audit DS Access - Directory Service Access failures.
WN25-DC-000260Windows Server 2025 must be configured to audit DS Access - Directory Service Changes successes.
WN25-DC-000270Windows Server 2025 must be configured to audit DS Access - Directory Service Changes failures.
WN25-DC-000280Windows Server 2025 domain controllers must have a PKI server certificate.
WN25-DC-000290Windows Server 2025 domain Controller PKI certificates must be issued by the DOD PKI or an approved External Certificate Authority (ECA).
WN25-DC-000300Windows Server 2025 PKI certificates associated with user accounts must be issued by a DOD PKI or an approved External Certificate Authority (ECA).
WN25-DC-000310Windows Server 2025 Active Directory (AD) user accounts, including administrators, must be configured to require the use of a common access card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
WN25-DC-000320Windows Server 2025 domain controllers must require LDAP access signing.
WN25-DC-000330Windows Server 2025 domain controllers must be configured to allow reset of machine account passwords.
WN25-DC-000340The Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.
WN25-DC-000350The Windows Server 2025 "Add workstations to domain" user right must only be assigned to the Administrators group on domain controllers.
WN25-DC-000360The Windows Server 2025 "Allow log on through Remote Desktop Services" user right must only be assigned to the Administrators group on domain controllers.
WN25-DC-000370The Windows Server 2025 "Deny access to this computer from the network" user right on domain controllers must be configured to prevent unauthenticated access.
WN25-DC-000380The Windows Server 2025 "Deny log on as a batch job" user right on domain controllers must be configured to prevent unauthenticated access.
WN25-DC-000390The Windows Server 2025 "Deny log on as a service" user right must be configured to include no accounts or groups (blank) on domain controllers.
WN25-DC-000400The Windows Server 2025 "Deny log on locally" user right on domain controllers must be configured to prevent unauthenticated access.
WN25-DC-000405Windows Server 2025 must be configured for certificate-based authentication for domain controllers.
WN25-DC-000406Windows Server 2025 must be configured for name-based strong mappings for certificates.
WN25-DC-000410The Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain controllers must be configured to prevent unauthenticated access.
WN25-DC-000420The Windows Server 2025 "Enable computer and user accounts to be trusted for delegation" user right must only be assigned to the Administrators group on domain controllers.
WN25-DC-000430The password for the krbtgt account on a domain must be reset at least every 180 days.
WN25-MS-000010Windows Server 2025 must only allow administrators responsible for the member server or stand-alone or nondomain-joined system to have Administrator rights on the system.
WN25-MS-000020Windows Server 2025 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.
WN25-MS-000030Windows Server 2025 local users on domain-joined member servers must not be enumerated.
WN25-MS-000040Windows Server 2025 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and stand-alone or nondomain-joined systems.
WN25-MS-000050Windows Server 2025 must limit the caching of logon credentials to four or less on domain-joined member servers.
WN25-MS-000060Windows Server 2025 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and stand-alone or nondomain-joined systems.
WN25-MS-000070Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and stand-alone or nondomain-joined systems.
WN25-MS-000080The Windows Server 2025 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.
WN25-MS-000090Windows Server 2025 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
WN25-MS-000100The Windows Server 2025 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.
WN25-MS-000110The Windows Server 2025 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.
WN25-MS-000120The Windows Server 2025 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.
WN25-MS-000130The Windows Server 2025 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and stand-alone or nondomain-joined systems.
WN25-MS-000140Windows Server 2025 must be running Credential Guard on domain-joined member servers.
WN25-PK-000010Windows Server 2025 must have the DOD Root Certificate Authority (CA) certificates installed in the Trusted Root Store.
WN25-PK-000020Windows Server 2025 must have the DOD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems.
WN25-PK-000030Windows Server 2025 must have the US DOD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems.
WN25-SO-000010Windows Server 2025 must have the built-in guest account disabled.
WN25-SO-000020Windows Server 2025 must prevent local accounts with blank passwords from being used from the network.
WN25-SO-000030The Windows Server 2025 built-in administrator account must be renamed.
WN25-SO-000040The Windows Server 2025 built-in guest account must be renamed.
WN25-SO-000050Windows Server 2025 must force audit policy subcategory settings to override audit policy category settings.
WN25-SO-000060The Windows Server 2025 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled.
WN25-SO-000070Windows Server 2025 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled.
WN25-SO-000080The Windows Server 2025 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled.
WN25-SO-000090Windows Server 2025 computer account password must not be prevented from being reset.
WN25-SO-000100Windows Server 2025 maximum age for machine account passwords must be configured to 30 days or less.
WN25-SO-000110Windows Server 2025 must be configured to require a strong session key.
WN25-SO-000120Windows Server 2025 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver.
WN25-SO-000130The Windows Server 2025 required legal notice must be configured to display before console logon.
WN25-SO-000140Windows Server 2025 title for legal banner dialog box must be configured with the appropriate text.
WN25-SO-000150The Windows Server 2025 Smart Card removal option must be configured to Force Logoff or Lock Workstation.
WN25-SO-000160The Windows Server 2025 setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled.
WN25-SO-000170The Windows Server 2025 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled.
WN25-SO-000180Windows Server 2025 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers.
WN25-SO-000190The Windows Server 2025 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled.
WN25-SO-000200The Windows Server 2025 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled.
WN25-SO-000210Windows Server 2025 must not allow anonymous SID/Name translation.
WN25-SO-000220Windows Server 2025 must not allow anonymous enumeration of Security Account Manager (SAM) accounts.
WN25-SO-000230Windows Server 2025 must not allow anonymous enumeration of shares.
WN25-SO-000240Windows Server 2025 must be configured to prevent anonymous users from having the same permissions as the Everyone group.
WN25-SO-000250Windows Server 2025 must restrict anonymous access to Named Pipes and Shares.
WN25-SO-000260Windows Server 2025 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously.
WN25-SO-000270Windows Server 2025 must prevent NTLM from falling back to a Null session.
WN25-SO-000280Windows Server 2025 must prevent PKU2U authentication using online identities.
WN25-SO-000290Windows Server 2025 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
WN25-SO-000310Windows Server 2025 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM.
WN25-SO-000320Windows Server 2025 must be configured to at least negotiate signing for LDAP client signing.
WN25-SO-000330Windows Server 2025 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption.
WN25-SO-000340Windows Server 2025 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption.
WN25-SO-000350Windows Server 2025 users must be required to enter a password to access private keys stored on the computer.
WN25-SO-000360Windows Server 2025 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
WN25-SO-000370Windows Server 2025 default permissions of global system objects must be strengthened.
WN25-SO-000380Windows Server 2025 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.
WN25-SO-000390Windows Server 2025 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.
WN25-SO-000400Windows Server 2025 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.
WN25-SO-000410Windows Server 2025 User Account Control (UAC) must automatically deny standard user requests for elevation.
WN25-SO-000420Windows Server 2025 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.
WN25-SO-000430Windows Server 2025 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.
WN25-SO-000440Windows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.
WN25-SO-000450Windows Server 2025 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.
WN25-UC-000010Windows Server 2025 must preserve zone information when saving attachments.
WN25-UR-000010The Windows Server 2025 "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts.
WN25-UR-000020The Windows Server 2025 "Act as part of the operating system" user right must not be assigned to any groups or accounts.
WN25-UR-000030The Windows Server 2025 "Allow log on locally" user right must only be assigned to the Administrators group.
WN25-UR-000040The Windows Server 2025 "Back up files and directories" user right must only be assigned to the Administrators group.
WN25-UR-000050The Windows Server 2025 "Create a pagefile" user right must only be assigned to the Administrators group.
WN25-UR-000060The Windows Server 2025 "Create a token object" user right must not be assigned to any groups or accounts.
WN25-UR-000070The Windows Server 2025 "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN25-UR-000080The Windows Server 2025 "Create permanent shared objects" user right must not be assigned to any groups or accounts.
WN25-UR-000090The Windows Server 2025 "Create symbolic links" user right must only be assigned to the Administrators group.
WN25-UR-000100The Windows Server 2025 "Debug programs" user right must only be assigned to the Administrators group.
WN25-UR-000110The Windows Server 2025 "Force shutdown from a remote system" user right must only be assigned to the Administrators group.
WN25-UR-000120The Windows Server 2025 "Generate security audits" user right must only be assigned to Local Service and Network Service.
WN25-UR-000130The Windows Server 2025 "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service.
WN25-UR-000140The Windows Server 2025 "Increase scheduling priority" user right must only be assigned to the Administrators group.
WN25-UR-000150The Windows Server 2025 "Load and unload device drivers" user right must only be assigned to the Administrators group.
WN25-UR-000160The Windows Server 2025 "Lock pages in memory" user right must not be assigned to any groups or accounts.
WN25-UR-000170The Windows Server 2025 "Manage auditing and security log" user right must only be assigned to the Administrators group.
WN25-UR-000180The Windows Server 2025 "Modify firmware environment values" user right must only be assigned to the Administrators group.
WN25-UR-000190The Windows Server 2025 "Perform volume maintenance tasks" user right must only be assigned to the Administrators group.
WN25-UR-000200The Windows Server 2025 "Profile single process" user right must only be assigned to the Administrators group.
WN25-UR-000210The Windows Server 2025 "Restore files and directories" user right must only be assigned to the Administrators group.
WN25-UR-000220The Windows Server 2025 "Take ownership of files or other objects" user right must only be assigned to the Administrators group.
WN25-AU-000581Windows Server 2025 must be configured to audit file system failures.
WN25-AU-000582Windows Server 2025 must be configured to audit file system successes.
WN25-AU-000583Windows Server 2025 must be configured to audit handle manipulation failures.
WN25-AU-000584Windows Server 2025 must be configured to audit handle manipulation successes.
WN25-AU-000585Windows Server 2025 must be configured to audit registry failures.
WN25-AU-000586Windows Server 2025 must be configured to audit registry successes.
WN25-AU-000587Windows Server 2025 must be configured to audit sensitive privilege use successes.
WN25-AU-000588Windows Server 2025 must be configured to audit sensitive privilege use failures.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.