Supported Microsoft Windows Platforms include: Windows Server 2016, 2019, 2022.
Rule No. | Description | STIG Group ID (Vulid) |
---|---|---|
Identification and Authorization | ||
1 | Restricted use of users with administrative privilege – use of administrative accounts is solely for administrative task purpose, email application, web browsing system as well as other applications accessing Internet must not use administrative accounts. | V-36451 |
2 | Caching of logon credentials – The caching of logon credential must be limited to avoid exposure cached credentials. | V-1090 |
3 | Anonymous Access to the Registry – default Windows installation allows anonymous access to Windows registry, this poses a security risk to the system and hence the access must be denied explicitly. | V-1152 |
4 | Disable Automatic Logon – automatic administrator logon on Windows server must be disabled and no password saved in the Registry. | V-1145 |
5 | Recovery Console Automatic Logon – the automatic logon option in recovery console must be disabled. | V-1159 |
6 | Anonymous SID/Name Translation – Anonymous SID/Name translation is turned on by default in Windows installation. This must be disabled to avoid users connecting as anonymous users to perform SID/Name translation. | V-3337 |
7 | Anonymous access to Name Pipes (and shares) – Anonymous access to name pipes and shares must be disabled. | V-3338 V-6834 |
8 | Remotely Accessible Registry Paths (and sub-paths) – Remote access to registry paths (and sub-paths) should be disabled unless this is required in order for applications to function properly | V-3339 V-4443 |
9 | Audit Log Warning Level – Windows server must be configured to generate a warning when the Security Event Log reaches a defined threshold | V-4108 |
10 | Display of Last User Name – the display of last logon user must be disabled on the logon screen to avoid disclosure of personal information. | V-11806 |
11 | Dormant Accounts – any enabled accounts, except certain accounts for running applications, that have not been logged into the system within 35 days should be disabled | V-1112 |
12 | Disable Guest Accounts – the built-in guest account must be disabled. | V-1113 |
13 | Password Protected Screen Saver – password protected screen saver must be activated for users with a recommended timeout of 15 minutes or less | V-1122 |
14 | Screen Saver Grace Period – this is to ensure that password protection takes effect with the grace period of 5 seconds or less when the screen saver becomes active | V-4442 |
15 | To safe guard against brute force login attempt, automatic account lockout MUST be effective to lockout account with consecutive failed logon (recommended value of 8 or less) attempts, the account lockout setting may be configured to automatically release the locked accounts after 30 minutes or more. | V-1097 |
Password Control and Policy | ||
16 | User passwords must be changed at least every 180 days. | V-1104 |
17 | Users must be warned 7 days in advance of password expiration. | V-1172 |
18 | Password complexity – a strong password must be ensured through OS setting to mandate the use of a mix of characters from upper/lower case letters, numbers and special characters. Preferably, the password should contain one character from each of the above categories. | V-1131 |
19 | Use of password encryption – the use of reversible password hash function must be disabled to prevent the re-generation of plaintext password from its hashed equivalent. | V-2372 |
20 | Storage of Passwords and Credentials – the system must be configured to prevent the storage of credentials or .NET passports on the local system that may lead to account compromise. | V-3376 |
21 | Minimum Password Length – the system must be configured to set the minimum password length to 10. | V-6836 |
22 | Password Requirement – the system must be configured to require password for all accounts. In other words, all created accounts must not have empty password such that inadvertent access is granted | V-7002 |
23 | Password Expiration – the system must be configured to enforce password expiration according to the configured password age in Rule Number 16. | V-6840 |
24 | Limit Blank Passwords – The password policy should prohibit accounts with blank passwords. However, if a local account with a blank password does exist the system must be configured to limit the account to local console logon | V-3344 |
25 | The re-use of password must be avoided by enforcing password history on the Windows system level. To comply with ITS password policy, the system must be configured to restrict the re-use of most recent 3 passwords | V-1107 |
Auditing and Logging | ||
26 | The Windows system audit configuration MUST be updated from its default to audit the following events at the minimum: 1. Account Logon Events – Success and Failure events 2. Account Management – Success and Failure events 3. Logon Events – Failure events 4. Policy Change – Success and Failure events 5. Privilege Use – Failure events 6. System Events – Failure events 7. Directory Service Access – Failure events (for domain controller only) | V-6850 |
Access Control | ||
27 | Remote root access using password authentication MUST be disabled to ensure the accountability and audit logging of root access. | V-1047 |
28 | The ACL permissions from the “Everyone group” on user-created file shares must be removed | V-3245 |
29 | Standard user accounts must NOT have write access to Winlogon registry to prevent privilege elevation | V-26070 |
30 | Anonymous access to network shares must be prohibited from listing account names and enumerating share names | V-1093 |
31 | The system must be configured to prevent anonymous access to unauthorized network shares | V-3340 |
32 | Anonymous access to name pipes and shares must be disabled | V-6834 |
33 | Disable Remote Assistance – the system MUST be configured to prevent solicited remote assistance | V-3343 |
Services and Applications | ||
34 | No P2P Software Application – the system must NOT have peer to peer file sharing application software installed | V-3487 |
35 | Install Anti-virus – the system MUST have an approved anti-virus software application installed with update-to-date virus engine and signature | V-1074 |
36 | Security Patch – security related patches MUST be applied to the system on a timely manner. | V-3828 |
37 | Disable unused services – system applications that are NOT needed on the system should be disabled or removed. | V-3487 |
38 | Enable Windows Firewall – windows firewall MUST be on and configured according to the need of the system as a first line of defense. The firewall MUST implement a default DENY ALL rule with exception enabled on need basis | V-3289 |