| APPL-14-002069 |
V2R2 |
The macOS system must require administrator privileges to modify systemwide settings. |
|
| OL07-00-020020 |
V3R1 |
The Oracle Linux operating system must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
|
| OL07-00-020021 |
V3R1 |
The Oracle Linux operating system must confine SELinux users to roles that conform to least privilege. |
|
| OL07-00-020022 |
V3R1 |
The Oracle Linux operating system must not allow privileged accounts to utilize SSH. |
|
| OL07-00-020023 |
V3R1 |
The Oracle Linux operating system must elevate the SELinux context when an administrator calls the sudo command. |
|
| OL08-00-040400 |
V2R2 |
OL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. |
|
| RHEL-07-020020 |
V3R9 |
The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
|
| RHEL-07-020021 |
V3R9 |
The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. |
|
| RHEL-07-020022 |
V3R9 |
The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH. |
|
| RHEL-07-020023 |
V3R9 |
The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command. |
|
| RHEL-08-040400 |
V2R1 |
RHEL 8 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. |
|
| RHEL-09-211045 |
V2R2 |
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. |
|
| RHEL-09-211050 |
V2R2 |
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. |
|
| RHEL-09-211055 |
V2R2 |
RHEL 9 debug-shell systemd service must be disabled. |
|
| RHEL-09-432010 |
V2R2 |
RHEL 9 must have the sudo package installed. |
|
| WN10-00-000070 |
V3R2 |
Only accounts responsible for the administration of a system must have Administrator rights on the system. |
|
| WN10-RG-000005 |
V3R2 |
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. |
|
| WN10-SO-000167 |
V3R2 |
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. |
|
| WN10-UR-000005 |
V3R2 |
The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. |
|
| WN10-UR-000015 |
V3R2 |
The Act as part of the operating system user right must not be assigned to any groups or accounts. |
|
| WN10-UR-000030 |
V3R2 |
The Back up files and directories user right must only be assigned to the Administrators group. |
|
| WN10-UR-000035 |
V3R2 |
The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc. |
|
| WN10-UR-000040 |
V3R2 |
The Create a pagefile user right must only be assigned to the Administrators group. |
|
| WN10-UR-000045 |
V3R2 |
The Create a token object user right must not be assigned to any groups or accounts. |
|
| WN10-UR-000050 |
V3R2 |
The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN10-UR-000055 |
V3R2 |
The Create permanent shared objects user right must not be assigned to any groups or accounts. |
|
| WN10-UR-000060 |
V3R2 |
The Create symbolic links user right must only be assigned to the Administrators group. |
|
| WN10-UR-000065 |
V3R2 |
The Debug programs user right must only be assigned to the Administrators group. |
|
| WN10-UR-000095 |
V3R2 |
The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts. |
|
| WN10-UR-000100 |
V3R2 |
The Force shutdown from a remote system user right must only be assigned to the Administrators group. |
|
| WN10-UR-000110 |
V3R2 |
The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN10-UR-000120 |
V3R2 |
The Load and unload device drivers user right must only be assigned to the Administrators group. |
|
| WN10-UR-000125 |
V3R2 |
The Lock pages in memory user right must not be assigned to any groups or accounts. |
|
| WN10-UR-000140 |
V3R2 |
The Modify firmware environment values user right must only be assigned to the Administrators group. |
|
| WN10-UR-000145 |
V3R2 |
The Perform volume maintenance tasks user right must only be assigned to the Administrators group. |
|
| WN10-UR-000150 |
V3R2 |
The Profile single process user right must only be assigned to the Administrators group. |
|
| WN10-UR-000160 |
V3R2 |
The Restore files and directories user right must only be assigned to the Administrators group. |
|
| WN10-UR-000165 |
V3R2 |
The Take ownership of files or other objects user right must only be assigned to the Administrators group. |
|
| WN11-RG-000005 |
V2R2 |
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. |
|
| WN11-SO-000167 |
V2R2 |
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. |
|
| WN11-UR-000005 |
V2R2 |
The "Access Credential Manager as a trusted caller" user right must not be assigned to any groups or accounts. |
|
| WN11-UR-000015 |
V2R2 |
The "Act as part of the operating system" user right must not be assigned to any groups or accounts. |
|
| WN11-UR-000030 |
V2R2 |
The "Back up files and directories" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000035 |
V2R2 |
The "Change the system time" user right must only be assigned to Administrators and Local Service. |
|
| WN11-UR-000040 |
V2R2 |
The "Create a pagefile" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000045 |
V2R2 |
The "Create a token object" user right must not be assigned to any groups or accounts. |
|
| WN11-UR-000050 |
V2R2 |
The "Create global objects" user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN11-UR-000055 |
V2R2 |
The "Create permanent shared objects" user right must not be assigned to any groups or accounts. |
|
| WN11-UR-000060 |
V2R2 |
The "Create symbolic links" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000065 |
V2R2 |
The "Debug programs" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000095 |
V2R2 |
The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts. |
|
| WN11-UR-000100 |
V2R2 |
The "Force shutdown from a remote system" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000110 |
V2R2 |
The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN11-UR-000120 |
V2R2 |
The "Load and unload device drivers" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000125 |
V2R2 |
The "Lock pages in memory" user right must not be assigned to any groups or accounts. |
|
| WN11-UR-000140 |
V2R2 |
The "Modify firmware environment values" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000145 |
V2R2 |
The "Perform volume maintenance tasks" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000150 |
V2R2 |
The "Profile single process" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000160 |
V2R2 |
The "Restore files and directories" user right must only be assigned to the Administrators group. |
|
| WN11-UR-000165 |
V2R2 |
The "Take ownership of files or other objects" user right must only be assigned to the Administrators group. |
|
| WN16-00-000190 |
V2R9 |
Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. |
|
| WN16-DC-000010 |
V2R9 |
Only administrators responsible for the domain controller must have Administrator rights on the system. |
|
| WN16-DC-000070 |
V2R9 |
Permissions on the Active Directory data files must only allow System and Administrators access. |
|
| WN16-DC-000080 |
V2R9 |
The Active Directory SYSVOL directory must have the proper access control permissions. |
|
| WN16-DC-000090 |
V2R9 |
Active Directory Group Policy objects must have proper access control permissions. |
|
| WN16-DC-000100 |
V2R9 |
The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. |
|
| WN16-DC-000110 |
V2R9 |
Domain-created Active Directory Organizational Unit (OU) objects must have proper access control permissions. |
|
| WN16-DC-000350 |
V2R9 |
The Add workstations to domain user right must only be assigned to the Administrators group. |
|
| WN16-DC-000420 |
V2R9 |
The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. |
|
| WN16-MS-000010 |
V2R9 |
Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. |
|
| WN16-MS-000310 |
V2R9 |
Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. |
|
| WN16-MS-000420 |
V2R9 |
The "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on member servers. |
|
| WN16-UR-000010 |
V2R9 |
The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. |
|
| WN16-UR-000030 |
V2R9 |
The Act as part of the operating system user right must not be assigned to any groups or accounts. |
|
| WN16-UR-000070 |
V2R9 |
The Back up files and directories user right must only be assigned to the Administrators group. |
|
| WN16-UR-000080 |
V2R9 |
The Create a pagefile user right must only be assigned to the Administrators group. |
|
| WN16-UR-000100 |
V2R9 |
The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN16-UR-000110 |
V2R9 |
The Create permanent shared objects user right must not be assigned to any groups or accounts. |
|
| WN16-UR-000120 |
V2R9 |
The Create symbolic links user right must only be assigned to the Administrators group. |
|
| WN16-UR-000130 |
V2R9 |
The Debug programs user right must only be assigned to the Administrators group. |
|
| WN16-UR-000200 |
V2R9 |
The Force shutdown from a remote system user right must only be assigned to the Administrators group. |
|
| WN16-UR-000210 |
V2R9 |
The Generate security audits user right must only be assigned to Local Service and Network Service. |
|
| WN16-UR-000220 |
V2R9 |
The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN16-UR-000230 |
V2R9 |
The Increase scheduling priority user right must only be assigned to the Administrators group. |
|
| WN16-UR-000240 |
V2R9 |
The Load and unload device drivers user right must only be assigned to the Administrators group. |
|
| WN16-UR-000250 |
V2R9 |
The Lock pages in memory user right must not be assigned to any groups or accounts. |
|
| WN16-UR-000270 |
V2R9 |
The Modify firmware environment values user right must only be assigned to the Administrators group. |
|
| WN16-UR-000280 |
V2R9 |
The Perform volume maintenance tasks user right must only be assigned to the Administrators group. |
|
| WN16-UR-000290 |
V2R9 |
The Profile single process user right must only be assigned to the Administrators group. |
|
| WN16-UR-000090 |
V2R9 |
The Create a token object user right must not be assigned to any groups or accounts. |
|
| WN16-UR-000300 |
V2R9 |
The Restore files and directories user right must only be assigned to the Administrators group. |
|
| WN16-UR-000310 |
V2R9 |
The Take ownership of files or other objects user right must only be assigned to the Administrators group. |
|
| WN19-00-000170 |
V3R2 |
Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. |
|
| WN19-DC-000010 |
V3R2 |
Windows Server 2019 must only allow administrators responsible for the domain controller to have Administrator rights on the system. |
|
| WN19-DC-000070 |
V3R2 |
Windows Server 2019 permissions on the Active Directory data files must only allow System and Administrators access. |
|
| WN19-DC-000080 |
V3R2 |
Windows Server 2019 Active Directory SYSVOL directory must have the proper access control permissions. |
|
| WN19-DC-000090 |
V3R2 |
Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. |
|
| WN19-DC-000100 |
V3R2 |
Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. |
|
| WN19-DC-000110 |
V3R2 |
Windows Server 2019 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. |
|
| WN19-DC-000350 |
V3R2 |
Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers. |
|
| WN19-DC-000420 |
V3R2 |
Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. |
|
| WN19-MS-000010 |
V3R2 |
Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. |
|
| WN19-MS-000060 |
V3R2 |
Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems. |
|
| WN19-MS-000130 |
V3R2 |
Windows Server 2019 "Enable computer and user accounts to be trusted for delegation" user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems. |
|
| WN19-UR-000010 |
V3R2 |
Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. |
|
| WN19-UR-000020 |
V3R2 |
Windows Server 2019 Act as part of the operating system user right must not be assigned to any groups or accounts. |
|
| WN19-UR-000040 |
V3R2 |
Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group. |
|
| WN19-UR-000050 |
V3R2 |
Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group. |
|
| WN19-UR-000060 |
V3R2 |
Windows Server 2019 Create a token object user right must not be assigned to any groups or accounts. |
|
| WN19-UR-000070 |
V3R2 |
Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN19-UR-000080 |
V3R2 |
Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts. |
|
| WN19-UR-000090 |
V3R2 |
Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group. |
|
| WN19-UR-000100 |
V3R2 |
Windows Server 2019 Debug programs: user right must only be assigned to the Administrators group. |
|
| WN19-UR-000110 |
V3R2 |
Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group. |
|
| WN19-UR-000120 |
V3R2 |
Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service. |
|
| WN19-UR-000130 |
V3R2 |
Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN19-UR-000140 |
V3R2 |
Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group. |
|
| WN19-UR-000150 |
V3R2 |
Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group. |
|
| WN19-UR-000160 |
V3R2 |
Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts. |
|
| WN19-UR-000180 |
V3R2 |
Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group. |
|
| WN19-UR-000190 |
V3R2 |
Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group. |
|
| WN19-UR-000200 |
V3R2 |
Windows Server 2019 Profile single process user right must only be assigned to the Administrators group. |
|
| WN19-UR-000210 |
V3R2 |
Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group. |
|
| WN19-UR-000220 |
V3R2 |
Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group. |
|
| WN22-00-000170 |
V2R2 |
Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. |
|
| WN22-DC-000010 |
V2R2 |
Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system. |
|
| WN22-DC-000070 |
V2R2 |
Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. |
|
| WN22-DC-000080 |
V2R2 |
Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. |
|
| WN22-DC-000090 |
V2R2 |
Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. |
|
| WN22-DC-000100 |
V2R2 |
Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. |
|
| WN22-DC-000110 |
V2R2 |
Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. |
|
| WN22-DC-000350 |
V2R2 |
Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers. |
|
| WN22-DC-000420 |
V2R2 |
Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers. |
|
| WN22-MS-000010 |
V2R2 |
Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. |
|
| WN22-MS-000060 |
V2R2 |
Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems. |
|
| WN22-MS-000130 |
V2R2 |
Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems. |
|
| WN22-UR-000010 |
V2R2 |
Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. |
|
| WN22-UR-000020 |
V2R2 |
Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts. |
|
| WN22-UR-000040 |
V2R2 |
Windows Server 2022 back up files and directories user right must only be assigned to the Administrators group. |
|
| WN22-UR-000050 |
V2R2 |
Windows Server 2022 create a pagefile user right must only be assigned to the Administrators group. |
|
| WN22-UR-000060 |
V2R2 |
Windows Server 2022 create a token object user right must not be assigned to any groups or accounts. |
|
| WN22-UR-000070 |
V2R2 |
Windows Server 2022 create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN22-UR-000080 |
V2R2 |
Windows Server 2022 create permanent shared objects user right must not be assigned to any groups or accounts. |
|
| WN22-UR-000090 |
V2R2 |
Windows Server 2022 create symbolic links user right must only be assigned to the Administrators group. |
|
| WN22-UR-000100 |
V2R2 |
Windows Server 2022 debug programs user right must only be assigned to the Administrators group. |
|
| WN22-UR-000110 |
V2R2 |
Windows Server 2022 force shutdown from a remote system user right must only be assigned to the Administrators group. |
|
| WN22-UR-000120 |
V2R2 |
Windows Server 2022 generate security audits user right must only be assigned to Local Service and Network Service. |
|
| WN22-UR-000130 |
V2R2 |
Windows Server 2022 impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. |
|
| WN22-UR-000140 |
V2R2 |
Windows Server 2022 increase scheduling priority: user right must only be assigned to the Administrators group. |
|
| WN22-UR-000150 |
V2R2 |
Windows Server 2022 load and unload device drivers user right must only be assigned to the Administrators group. |
|
| WN22-UR-000160 |
V2R2 |
Windows Server 2022 lock pages in memory user right must not be assigned to any groups or accounts. |
|
| WN22-UR-000180 |
V2R2 |
Windows Server 2022 modify firmware environment values user right must only be assigned to the Administrators group. |
|
| WN22-UR-000190 |
V2R2 |
Windows Server 2022 perform volume maintenance tasks user right must only be assigned to the Administrators group. |
|
| WN22-UR-000200 |
V2R2 |
Windows Server 2022 profile single process user right must only be assigned to the Administrators group. |
|
| WN22-UR-000210 |
V2R2 |
Windows Server 2022 restore files and directories user right must only be assigned to the Administrators group. |
|
| WN22-UR-000220 |
V2R2 |
Windows Server 2022 take ownership of files or other objects user right must only be assigned to the Administrators group. |
|