HKU Server Compliance Baseline Policies for Microsoft Windows Platforms

Supported Microsoft Windows Platforms include: Windows Server 2012, 2012R2, 2016, 2019.

Rule No.DescriptionSTIG Group ID (Vulid)
Identification and Authorization
1Restricted use of users with administrative privilege – use of administrative accounts is solely for administrative task purpose, email application, web browsing system as well as other applications accessing Internet must not use administrative accounts.V-36451
2Caching of logon credentials – The caching of logon credential must be limited to avoid exposure cached credentials.V-1090
3Anonymous Access to the Registry – default Windows installation allows anonymous access to Windows registry, this poses a security risk to the system and hence the access must be denied explicitly.V-1152
4Disable Automatic Logon – automatic administrator logon on Windows server must be disabled and no password saved in the Registry.V-1145
5Recovery Console Automatic Logon – the automatic logon option in recovery console must be disabled.V-1159
6Anonymous SID/Name Translation – Anonymous SID/Name translation is turned on by default in Windows installation. This must be disabled to avoid users connecting as anonymous users to perform SID/Name translation.V-3337
7Anonymous access to Name Pipes (and shares) – Anonymous access to name pipes and shares must be disabled.V-3338 V-6834
8Remotely Accessible Registry Paths (and sub-paths) – Remote access to registry paths (and sub-paths) should be disabled unless this is required in order for applications to function properlyV-3339 V-4443
9Audit Log Warning Level – Windows server must be configured to generate a warning when the Security Event Log reaches a defined thresholdV-4108
10Display of Last User Name – the display of last logon user must be disabled on the logon screen to avoid disclosure of personal information.V-11806
11Dormant Accounts – any enabled accounts, except certain accounts for running applications, that have not been logged into the system within 35 days should be disabledV-1112
12Disable Guest Accounts – the built-in guest account must be disabled.V-1113
13Password Protected Screen Saver – password protected screen saver must be activated for users with a recommended timeout of 15 minutes or lessV-1122
14Screen Saver Grace Period – this is to ensure that password protection takes effect with the grace period of 5 seconds or less when the screen saver becomes activeV-4442
15To safe guard against brute force login attempt, automatic account lockout MUST be effective to lockout account with consecutive failed logon (recommended value of 8 or less) attempts, the account lockout setting may be configured to automatically release the locked accounts after 30 minutes or more.V-1097
Password Control and Policy
16User passwords must be changed at least every 180 days.V-1104
17Users must be warned 7 days in advance of password expiration.V-1172
18Password complexity – a strong password must be ensured through OS setting to mandate the use of a mix of characters from upper/lower case letters, numbers and special characters. Preferably, the password should contain one character from each of the above categories.V-1131
19Use of password encryption – the use of reversible password hash function must be disabled to prevent the re-generation of plaintext password from its hashed equivalent.V-2372
20Storage of Passwords and Credentials – the system must be configured to prevent the storage of credentials or .NET passports on the local system that may lead to account compromise.V-3376
21Minimum Password Length – the system must be configured to set the minimum password length to 10.V-6836
22Password Requirement – the system must be configured to require password for all accounts. In other words, all created accounts must not have empty password such that inadvertent access is grantedV-7002
23Password Expiration – the system must be configured to enforce password expiration according to the configured password age in Rule Number 16.V-6840
24Limit Blank Passwords – The password policy should prohibit accounts with blank passwords. However, if a local account with a blank password does exist the system must be configured to limit the account to local console logonV-3344
25The re-use of password must be avoided by enforcing password history on the Windows system level. To comply with ITS password policy, the system must be configured to restrict the re-use of most recent 3 passwordsV-1107
Auditing and Logging
26The Windows system audit configuration MUST be updated from its default to audit the following events at the minimum: 1. Account Logon Events – Success and Failure events 2. Account Management – Success and Failure events 3. Logon Events – Failure events 4. Policy Change – Success and Failure events 5. Privilege Use – Failure events 6. System Events – Failure events 7. Directory Service Access – Failure events (for domain controller only)V-6850
Access Control
27Remote root access using password authentication MUST be disabled to ensure the accountability and audit logging of root access.V-1047
28The ACL permissions from the “Everyone group” on user-created file shares must be removedV-3245
29Standard user accounts must NOT have write access to Winlogon registry to prevent privilege elevationV-26070
30Anonymous access to network shares must be prohibited from listing account names and enumerating share namesV-1093
31The system must be configured to prevent anonymous access to unauthorized network sharesV-3340
32Anonymous access to name pipes and shares must be disabledV-6834
33Disable Remote Assistance – the system MUST be configured to prevent solicited remote assistanceV-3343
Services and Applications
34No P2P Software Application – the system must NOT have peer to peer file sharing application software installedV-3487
35Install Anti-virus – the system MUST have an approved anti-virus software application installed with update-to-date virus engine and signatureV-1074
36Security Patch – security related patches MUST be applied to the system on a timely manner.V-3828
37Disable unused services – system applications that are NOT needed on the system should be disabled or removed.V-3487
38Enable Windows Firewall – windows firewall MUST be on and configured according to the need of the system as a first line of defense. The firewall MUST implement a default DENY ALL rule with exception enabled on need basisV-3289

Latest News


    Knowledge Base