HKU Server Compliance Baseline Policies for Microsoft Windows Platforms

Supported Microsoft Windows Platforms include: Windows Server 2016, 2019, 2022.

Rule No. Description STIG Group ID (Vulid)
Identification and Authorization
1 Restricted use of users with administrative privilege – use of administrative accounts is solely for administrative task purpose, email application, web browsing system as well as other applications accessing Internet must not use administrative accounts. V-36451
2 Caching of logon credentials – The caching of logon credential must be limited to avoid exposure cached credentials. V-1090
3 Anonymous Access to the Registry – default Windows installation allows anonymous access to Windows registry, this poses a security risk to the system and hence the access must be denied explicitly. V-1152
4 Disable Automatic Logon – automatic administrator logon on Windows server must be disabled and no password saved in the Registry. V-1145
5 Recovery Console Automatic Logon – the automatic logon option in recovery console must be disabled. V-1159
6 Anonymous SID/Name Translation – Anonymous SID/Name translation is turned on by default in Windows installation. This must be disabled to avoid users connecting as anonymous users to perform SID/Name translation. V-3337
7 Anonymous access to Name Pipes (and shares) – Anonymous access to name pipes and shares must be disabled. V-3338 V-6834
8 Remotely Accessible Registry Paths (and sub-paths) – Remote access to registry paths (and sub-paths) should be disabled unless this is required in order for applications to function properly V-3339 V-4443
9 Audit Log Warning Level – Windows server must be configured to generate a warning when the Security Event Log reaches a defined threshold V-4108
10 Display of Last User Name – the display of last logon user must be disabled on the logon screen to avoid disclosure of personal information. V-11806
11 Dormant Accounts – any enabled accounts, except certain accounts for running applications, that have not been logged into the system within 35 days should be disabled V-1112
12 Disable Guest Accounts – the built-in guest account must be disabled. V-1113
13 Password Protected Screen Saver – password protected screen saver must be activated for users with a recommended timeout of 15 minutes or less V-1122
14 Screen Saver Grace Period – this is to ensure that password protection takes effect with the grace period of 5 seconds or less when the screen saver becomes active V-4442
15 To safe guard against brute force login attempt, automatic account lockout MUST be effective to lockout account with consecutive failed logon (recommended value of 8 or less) attempts, the account lockout setting may be configured to automatically release the locked accounts after 30 minutes or more. V-1097
Password Control and Policy
16 User passwords must be changed at least every 180 days. V-1104
17 Users must be warned 7 days in advance of password expiration. V-1172
18 Password complexity – a strong password must be ensured through OS setting to mandate the use of a mix of characters from upper/lower case letters, numbers and special characters. Preferably, the password should contain one character from each of the above categories. V-1131
19 Use of password encryption – the use of reversible password hash function must be disabled to prevent the re-generation of plaintext password from its hashed equivalent. V-2372
20 Storage of Passwords and Credentials – the system must be configured to prevent the storage of credentials or .NET passports on the local system that may lead to account compromise. V-3376
21 Minimum Password Length – the system must be configured to set the minimum password length to 10. V-6836
22 Password Requirement – the system must be configured to require password for all accounts. In other words, all created accounts must not have empty password such that inadvertent access is granted V-7002
23 Password Expiration – the system must be configured to enforce password expiration according to the configured password age in Rule Number 16. V-6840
24 Limit Blank Passwords – The password policy should prohibit accounts with blank passwords. However, if a local account with a blank password does exist the system must be configured to limit the account to local console logon V-3344
25 The re-use of password must be avoided by enforcing password history on the Windows system level. To comply with ITS password policy, the system must be configured to restrict the re-use of most recent 3 passwords V-1107
Auditing and Logging
26 The Windows system audit configuration MUST be updated from its default to audit the following events at the minimum: 1. Account Logon Events – Success and Failure events 2. Account Management – Success and Failure events 3. Logon Events – Failure events 4. Policy Change – Success and Failure events 5. Privilege Use – Failure events 6. System Events – Failure events 7. Directory Service Access – Failure events (for domain controller only) V-6850
Access Control
27 Remote root access using password authentication MUST be disabled to ensure the accountability and audit logging of root access. V-1047
28 The ACL permissions from the “Everyone group” on user-created file shares must be removed V-3245
29 Standard user accounts must NOT have write access to Winlogon registry to prevent privilege elevation V-26070
30 Anonymous access to network shares must be prohibited from listing account names and enumerating share names V-1093
31 The system must be configured to prevent anonymous access to unauthorized network shares V-3340
32 Anonymous access to name pipes and shares must be disabled V-6834
33 Disable Remote Assistance – the system MUST be configured to prevent solicited remote assistance V-3343
Services and Applications
34 No P2P Software Application – the system must NOT have peer to peer file sharing application software installed V-3487
35 Install Anti-virus – the system MUST have an approved anti-virus software application installed with update-to-date virus engine and signature V-1074
36 Security Patch – security related patches MUST be applied to the system on a timely manner. V-3828
37 Disable unused services – system applications that are NOT needed on the system should be disabled or removed. V-3487
38 Enable Windows Firewall – windows firewall MUST be on and configured according to the need of the system as a first line of defense. The firewall MUST implement a default DENY ALL rule with exception enabled on need basis V-3289