SRG-OS-000080-GPOS-00048 Controls

STIG IDVersionTitleProduct
ALMA-09-006180V1R5AlmaLinux OS 9 must require authentication to access emergency mode.AlmaLinux OS 9
ALMA-09-006290V1R5AlmaLinux OS 9 must require a boot loader password.AlmaLinux OS 9
ALMA-09-006400V1R5AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.AlmaLinux OS 9
ALMA-09-006510V1R5AlmaLinux OS 9 must require authentication to access single-user mode.AlmaLinux OS 9
APPL-14-000033V2R4The macOS system must disable FileVault automatic log on.macOS 14 - Sonoma
APPL-14-002001V2R4The macOS system must disable Server Message Block sharing.macOS 14 - Sonoma
APPL-14-002003V2R4The macOS system must disable Network File System service.macOS 14 - Sonoma
APPL-14-002006V2R4The macOS system must disable Unix-to-Unix Copy Protocol service.macOS 14 - Sonoma
APPL-14-002008V2R4The macOS system must disable the built-in web server.macOS 14 - Sonoma
APPL-14-002009V2R4The macOS system must disable AirDrop.macOS 14 - Sonoma
APPL-14-002022V2R4The macOS system must disable Remote Apple Events.macOS 14 - Sonoma
APPL-14-002050V2R4The macOS system must disable Screen Sharing and Apple Remote Desktop.macOS 14 - Sonoma
APPL-14-002100V2R4The macOS system must disable Media Sharing.macOS 14 - Sonoma
APPL-14-002110V2R4The macOS system must disable Bluetooth sharing.macOS 14 - Sonoma
APPL-14-005058V2R4The macOS system must disable Handoff.macOS 14 - Sonoma
APPL-14-005070V2R4The macOS system must enable Authenticated Root.macOS 14 - Sonoma
APPL-15-000033V1R6The macOS system must disable FileVault automatic login.macOS 15 - Sequoia
APPL-15-002001V1R6The macOS system must disable Server Message Block (SMB) sharing.macOS 15 - Sequoia
APPL-15-002003V1R6The macOS system must disable Network File System (NFS) service.macOS 15 - Sequoia
APPL-15-002006V1R6The macOS system must disable Unix-to-Unix Copy Protocol (UUCP) service.macOS 15 - Sequoia
APPL-15-002008V1R6The macOS system must disable the built-in web server.macOS 15 - Sequoia
APPL-15-002009V1R6The macOS system must disable AirDrop.macOS 15 - Sequoia
APPL-15-002022V1R6The macOS system must disable Remote Apple Events.macOS 15 - Sequoia
APPL-15-002050V1R6The macOS system must disable Screen Sharing and Apple Remote Desktop.macOS 15 - Sequoia
APPL-15-002100V1R6The macOS system must disable Media Sharing.macOS 15 - Sequoia
APPL-15-002110V1R6The macOS system must disable Bluetooth Sharing.macOS 15 - Sequoia
APPL-15-005058V1R6The macOS system must disable Handoff.macOS 15 - Sequoia
APPL-15-005070V1R6The macOS system must enable Authenticated Root.macOS 15 - Sequoia
APPL-15-002271V1R6The macOS system must disable iPhone Mirroring.macOS 15 - Sequoia
OL07-00-010481V3R5The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes.Oracle Linux 7
OL07-00-010482V3R5Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.Oracle Linux 7
OL07-00-010491V3R5Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.Oracle Linux 7
OL07-00-010483V3R5Oracle Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.Oracle Linux 7
OL07-00-010492V3R5Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.Oracle Linux 7
OL08-00-010140V2R7OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.Oracle Linux 8
OL08-00-010141V2R7OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.Oracle Linux 8
OL08-00-010149V2R7OL 8 operating systems booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.Oracle Linux 8
OL08-00-010150V2R7OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.Oracle Linux 8
OL08-00-010151V2R7OL 8 operating systems must require authentication upon booting into rescue mode.Oracle Linux 8
OL08-00-010152V2R7OL 8 operating systems must require authentication upon booting into emergency mode.Oracle Linux 8
OL09-00-000025V1R4OL 9 must require authentication to access emergency mode.Oracle Linux 9
OL09-00-000030V1R4OL 9 must require authentication to access single-user mode.Oracle Linux 9
OL09-00-000050V1R4OL 9 must require a unique superuser's name upon booting into single-user and maintenance modes.Oracle Linux 9
OL09-00-001115V1R4OL 9 must require a boot loader superuser password.Oracle Linux 9
RHEL-10-400000V1R1RHEL 10 must be configured so that the "/etc/group" file is owned by root.Red Hat Enterprise Linux 10
RHEL-10-400005V1R1RHEL 10 must be configured so that the "/etc/group" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400010V1R1RHEL 10 must be configured so that the "/etc/group-" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400015V1R1RHEL 10 must be configured so that the "/etc/group-" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400020V1R1RHEL 10 must be configured so that the "/etc/gshadow" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400025V1R1RHEL 10 must be configured so that the "/etc/gshadow" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400030V1R1RHEL 10 must be configured so that the "/etc/gshadow-" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400035V1R1RHEL 10 must be configured so that the "/etc/gshadow-" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400040V1R1RHEL 10 must be configured so that the "/etc/passwd" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400045V1R1RHEL 10 must be configured so that the "/etc/passwd" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400050V1R1RHEL 10 must be configured so that the "/etc/passwd-" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400055V1R1RHEL 10 must be configured so that the "/etc/passwd-" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400060V1R1RHEL 10 must be configured so that the "/etc/shadow" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400065V1R1RHEL 10 must be configured so that the "/etc/shadow" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400070V1R1RHEL 10 must be configured so that the "/etc/shadow-" file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400075V1R1RHEL 10 must be configured so that the "/etc/shadow-" file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400135V1R1RHEL 10 must be configured so that cron configuration files directories are group-owned by root.Red Hat Enterprise Linux 10
RHEL-10-400145V1R1RHEL 10 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Red Hat Enterprise Linux 10
RHEL-10-400150V1R1RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is group-owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400155V1R1RHEL 10 must be configured so that the Secure Shell (SSH) server configuration file is owned by "root".Red Hat Enterprise Linux 10
RHEL-10-400160V1R1RHEL 10 must ensure that all local interactive user home directories are group-owned by the home directory owner's primary group.Red Hat Enterprise Linux 10
RHEL-10-400235V1R1RHEL 10 must enforce mode "0740" or less permissive for local initialization files.Red Hat Enterprise Linux 10
RHEL-10-400240V1R1RHEL 10 must enforce mode "0750" or less permissive for local interactive user home directories.Red Hat Enterprise Linux 10
RHEL-10-400245V1R1RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400250V1R1RHEL 10 must enforce mode "0644" or less permissive for the "/etc/group-" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400255V1R1RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400260V1R1RHEL 10 must enforce mode "0000" or less permissive for the "/etc/gshadow-" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400265V1R1RHEL 10 must enforce mode "0644" or less permissive for the "/etc/passwd" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400270V1R1RHEL 10 must enforce mode "0644" or less permissive for "/etc/passwd-" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400275V1R1RHEL 10 must enforce mode "0000" or less permissive for "/etc/shadow-" file to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400285V1R1RHEL 10 must be configured so that all local files and directories have a valid group owner.Red Hat Enterprise Linux 10
RHEL-10-400290V1R1RHEL 10 must be configured so that all local files and directories must have a valid owner.Red Hat Enterprise Linux 10
RHEL-10-400295V1R1RHEL 10 must enforce mode "0000" for "/etc/shadow" to prevent unauthorized access.Red Hat Enterprise Linux 10
RHEL-10-400310V1R1RHEL 10 must set the umask value to "077" for all local interactive user accounts.Red Hat Enterprise Linux 10
RHEL-10-400315V1R1RHEL 10 must define default permissions for the bash shell.Red Hat Enterprise Linux 10
RHEL-10-400320V1R1RHEL 10 must define default permissions for the c shell.Red Hat Enterprise Linux 10
RHEL-10-400325V1R1RHEL 10 must define default permissions for all authenticated users in such a way that the user can read and modify only their own files.Red Hat Enterprise Linux 10
RHEL-10-400330V1R1RHEL 10 must define default permissions for the system default profile.Red Hat Enterprise Linux 10
RHEL-10-400335V1R1RHEL 10 must enforce that all local initialization files configured by systemd-tmpfiles have mode "0600" or less permissive.Red Hat Enterprise Linux 10
RHEL-10-400340V1R1RHEL 10 must enforce mode "0600" or less permissive for Secure Shell (SSH) private host key files.Red Hat Enterprise Linux 10
RHEL-10-400345V1R1RHEL 10 must enforce "root" group ownership of the "/boot/grub2/grub.cfg" file.Red Hat Enterprise Linux 10
RHEL-10-400350V1R1RHEL 10 must enforce "root" ownership of the "/boot/grub2/grub.cfg" file.Red Hat Enterprise Linux 10
RHEL-10-400365V1R1RHEL 10 must prevent code from being executed on file systems that contain user home directories.Red Hat Enterprise Linux 10
RHEL-10-500005V1R1RHEL 10 must enable auditing of processes that start prior to the audit daemon.Red Hat Enterprise Linux 10
RHEL-10-600000V1R1RHEL 10 must require a boot loader superuser password.Red Hat Enterprise Linux 10
RHEL-10-600010V1R1RHEL 10 must require a unique superusers name upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 10
RHEL-10-600400V1R1RHEL 10 must allow only the root account to have unrestricted access to the system.Red Hat Enterprise Linux 10
RHEL-10-600450V1R1RHEL 10 must not have unauthorized accounts.Red Hat Enterprise Linux 10
RHEL-10-700010V1R1RHEL 10 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a Secure Shell (SSH) login.Red Hat Enterprise Linux 10
RHEL-10-700100V1R1RHEL 10 must prevent special devices on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 10
RHEL-10-700105V1R1RHEL 10 must prevent code from being executed on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 10
RHEL-10-700110V1R1RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on file systems that are imported via Network File System (NFS).Red Hat Enterprise Linux 10
RHEL-10-700115V1R1RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.Red Hat Enterprise Linux 10
RHEL-10-700130V1R1RHEL 10 must prevent files with the "setuid" and "setgid" bit set from being executed on the "/boot/efi" directory.Red Hat Enterprise Linux 10
RHEL-10-700590V1R1RHEL 10 must be configured so that Secure Shell (SSH) server configuration files' permissions are not modified.Red Hat Enterprise Linux 10
RHEL-10-700630V1R1RHEL 10 must not allow a noncertificate trusted host Secure Shell (SSH) login to the system.Red Hat Enterprise Linux 10
RHEL-10-700680V1R1RHEL 10 must not have a "shosts.equiv" file on the system.Red Hat Enterprise Linux 10
RHEL-10-700690V1R1RHEL 10 must not have any ".shosts" files on the system.Red Hat Enterprise Linux 10
RHEL-10-700720V1R1RHEL 10 must not allow unattended or automatic login via the graphical user interface.Red Hat Enterprise Linux 10
RHEL-10-700800V1R1RHEL 10 must ensure effective dconf policy matches the policy keyfiles.Red Hat Enterprise Linux 10
RHEL-10-701250V1R1RHEL 10 must require authentication to access emergency mode.Red Hat Enterprise Linux 10
RHEL-10-701260V1R1RHEL 10 must require authentication to access single-user mode.Red Hat Enterprise Linux 10
RHEL-10-800070V1R1RHEL 10 must not have unauthorized IP tunnels configured.Red Hat Enterprise Linux 10
RHEL-07-010481V3R9The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 7
RHEL-07-010482V3R9Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 7
RHEL-07-010491V3R9Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 7
RHEL-07-010483V3R9Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.Red Hat Enterprise Linux 7
RHEL-07-010492V3R9Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.Red Hat Enterprise Linux 7
RHEL-08-010140V2R6RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.Red Hat Enterprise Linux 8
RHEL-08-010150V2R6RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 8
RHEL-08-010151V2R6RHEL 8 operating systems must require authentication upon booting into rescue mode.Red Hat Enterprise Linux 8
RHEL-08-010141V2R6RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.Red Hat Enterprise Linux 8
RHEL-08-010149V2R6RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 8
RHEL-08-010152V2R6RHEL 8 operating systems must require authentication upon booting into emergency mode.Red Hat Enterprise Linux 8
RHEL-09-212010V2R7RHEL 9 must require a boot loader superuser password.Red Hat Enterprise Linux 9
RHEL-09-212020V2R7RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.Red Hat Enterprise Linux 9
RHEL-09-611195V2R7RHEL 9 must require authentication to access emergency mode.Red Hat Enterprise Linux 9
RHEL-09-611200V2R7RHEL 9 must require authentication to access single-user mode.Red Hat Enterprise Linux 9
RHEL-09-232103V2R7RHEL 9 "/etc/audit/" must be owned by root.Red Hat Enterprise Linux 9
RHEL-09-232104V2R7RHEL 9 "/etc/audit/" must be group-owned by root.Red Hat Enterprise Linux 9
SLES-12-010430V3R4SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.SUSE Linux Enterprise 12
SLES-12-010440V3R4SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.SUSE Linux Enterprise 12
SLES-15-010190V2R4SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.SUSE Linux Enterprise 15
SLES-15-010200V2R4SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.SUSE Linux Enterprise 15
TOSS-04-010030V2R3TOSS must require authentication upon booting into emergency or rescue modes.Tri-Lab Operating System Stack
UBTU-18-010000V2R15Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.Ubuntu 18.04
UBTU-18-010001V2R15Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.Ubuntu 18.04
UBTU-20-010009V2R3Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.Ubuntu 20.04
UBTU-22-212010V2R7Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes.Ubuntu 22.04
UBTU-24-102000V1R1Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes.Ubuntu 24.04
WN10-00-000050V3R6Local volumes must be formatted using NTFS.Microsoft Windows 10
WN10-UR-000010V3R6The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.Microsoft Windows 10
WN10-UR-000025V3R6The Allow log on locally user right must only be assigned to the Administrators and Users groups.Microsoft Windows 10
WN10-UR-000070V3R6The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 10
WN10-UR-000075V3R6The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.Microsoft Windows 10
WN10-UR-000080V3R6The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.Microsoft Windows 10
WN10-UR-000085V3R6The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 10
WN10-UR-000090V3R6The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 10
WN11-00-000050V2R5Local volumes must be formatted using NTFS.Microsoft Windows 11
WN11-UR-000010V2R5The "Access this computer from the network" user right must only be assigned to the Administrators and Remote Desktop Users groups.Microsoft Windows 11
WN11-UR-000025V2R5The "Allow log on locally" user right must only be assigned to the Administrators and Users groups.Microsoft Windows 11
WN11-UR-000070V2R5The "Deny access to this computer from the network" user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 11
WN11-UR-000075V2R5The "Deny log on as a batch job" user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.Microsoft Windows 11
WN11-UR-000080V2R5The "Deny log on as a service" user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.Microsoft Windows 11
WN11-UR-000085V2R5The "Deny log on locally" user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 11
WN11-UR-000090V2R5The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.Microsoft Windows 11
WN16-00-000150V2R9Local volumes must use a format that supports NTFS attributes.Microsoft Windows Server 2016
WN16-00-000200V2R9Non-administrative accounts or groups must only have print permissions on printer shares.Microsoft Windows Server 2016
WN16-DC-000340V2R9The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.Microsoft Windows Server 2016
WN16-DC-000360V2R9The Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group.Microsoft Windows Server 2016
WN16-DC-000370V2R9The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2016
WN16-DC-000380V2R9The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2016
WN16-DC-000390V2R9The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.Microsoft Windows Server 2016
WN16-DC-000400V2R9The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2016
WN16-MS-000340V2R9The "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on member servers.Microsoft Windows Server 2016
WN16-MS-000370V2R9The "Deny access to this computer from the network" user right on member servers must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and from unauthenticated access on all systems.Microsoft Windows Server 2016
WN16-MS-000380V2R9The "Deny log on as a batch job" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.Microsoft Windows Server 2016
WN16-MS-000390V2R9The "Deny log on as a service" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems. No other groups or accounts must be assigned this right.Microsoft Windows Server 2016
WN16-MS-000400V2R9The "Deny log on locally" user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems.Microsoft Windows Server 2016
WN16-UR-000050V2R9The Allow log on locally user right must only be assigned to the Administrators group.Microsoft Windows Server 2016
WN19-00-000130V3R7Windows Server 2019 local volumes must use a format that supports NTFS attributes.Microsoft Windows Server 2019
WN19-00-000180V3R7Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.Microsoft Windows Server 2019
WN19-DC-000340V3R7Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.Microsoft Windows Server 2019
WN19-DC-000360V3R7Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.Microsoft Windows Server 2019
WN19-DC-000370V3R7Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2019
WN19-DC-000380V3R7Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2019
WN19-DC-000390V3R7Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.Microsoft Windows Server 2019
WN19-DC-000400V3R7Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2019
WN19-MS-000070V3R7Windows Server 2019 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.Microsoft Windows Server 2019
WN19-MS-000080V3R7Windows Server 2019 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.Microsoft Windows Server 2019
WN19-MS-000090V3R7Windows Server 2019 "Deny log on as a batch job" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.Microsoft Windows Server 2019
WN19-MS-000100V3R7Windows Server 2019 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.Microsoft Windows Server 2019
WN19-MS-000110V3R7Windows Server 2019 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.Microsoft Windows Server 2019
WN19-UR-000030V3R7Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group.Microsoft Windows Server 2019
WN19-DC-000391V3R7Windows Server 2019 must be configured for certificate-based authentication for domain controllers.Microsoft Windows Server 2019
WN19-DC-000401V3R7Windows Server 2019 must be configured for named-based strong mappings for certificates.Microsoft Windows Server 2019
WN22-00-000130V2R7Windows Server 2022 local volumes must use a format that supports NTFS attributes.Microsoft Windows Server 2022
WN22-00-000180V2R7Windows Server 2022 nonadministrative accounts or groups must only have print permissions on printer shares.Microsoft Windows Server 2022
WN22-DC-000340V2R7Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.Microsoft Windows Server 2022
WN22-DC-000360V2R7Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers.Microsoft Windows Server 2022
WN22-DC-000370V2R7Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2022
WN22-DC-000380V2R7Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2022
WN22-DC-000390V2R7Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers.Microsoft Windows Server 2022
WN22-DC-000400V2R7Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2022
WN22-MS-000070V2R7Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems.Microsoft Windows Server 2022
WN22-MS-000080V2R7Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.Microsoft Windows Server 2022
WN22-MS-000090V2R7Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.Microsoft Windows Server 2022
WN22-MS-000100V2R7Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.Microsoft Windows Server 2022
WN22-MS-000110V2R7Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.Microsoft Windows Server 2022
WN22-UR-000030V2R7Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group.Microsoft Windows Server 2022
WN22-DC-000405V2R7Windows Server 2022 must be configured for certificate-based authentication for domain controllers.Microsoft Windows Server 2022
WN22-DC-000406V2R7Windows Server 2022 must be configured for name-based strong mappings for certificates.Microsoft Windows Server 2022
WN25-00-000130V1R1Windows Server 2025 local volumes must use a format that supports New Technology File System (NTFS) attributes.Microsoft Windows Server 2025
WN25-00-000180V1R1Windows Server 2025 nonadministrative accounts or groups must only have print permissions on printer shares.Microsoft Windows Server 2025
WN25-DC-000340V1R1The Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers.Microsoft Windows Server 2025
WN25-DC-000360V1R1The Windows Server 2025 "Allow log on through Remote Desktop Services" user right must only be assigned to the Administrators group on domain controllers.Microsoft Windows Server 2025
WN25-DC-000370V1R1The Windows Server 2025 "Deny access to this computer from the network" user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2025
WN25-DC-000380V1R1The Windows Server 2025 "Deny log on as a batch job" user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2025
WN25-DC-000390V1R1The Windows Server 2025 "Deny log on as a service" user right must be configured to include no accounts or groups (blank) on domain controllers.Microsoft Windows Server 2025
WN25-DC-000400V1R1The Windows Server 2025 "Deny log on locally" user right on domain controllers must be configured to prevent unauthenticated access.Microsoft Windows Server 2025
WN25-DC-000405V1R1Windows Server 2025 must be configured for certificate-based authentication for domain controllers.Microsoft Windows Server 2025
WN25-DC-000406V1R1Windows Server 2025 must be configured for name-based strong mappings for certificates.Microsoft Windows Server 2025
WN25-MS-000070V1R1Windows Server 2025 "Access this computer from the network" user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and stand-alone or nondomain-joined systems.Microsoft Windows Server 2025
WN25-MS-000080V1R1The Windows Server 2025 "Deny access to this computer from the network" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems.Microsoft Windows Server 2025
WN25-MS-000090V1R1Windows Server 2025 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.Microsoft Windows Server 2025
WN25-MS-000100V1R1The Windows Server 2025 "Deny log on as a service" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right.Microsoft Windows Server 2025
WN25-MS-000110V1R1The Windows Server 2025 "Deny log on locally" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems.Microsoft Windows Server 2025
WN25-UR-000030V1R1The Windows Server 2025 "Allow log on locally" user right must only be assigned to the Administrators group.Microsoft Windows Server 2025
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.