CIS Microsoft Windows Server 2019 v3.0.1 L1 DC

Audit Details

Name: CIS Microsoft Windows Server 2019 v3.0.1 L1 DC

Updated: 7/11/2025

Authority: CIS

Plugin: Windows

Revision: 1.2

Estimated Item Count: 319

File Details

Filename: CIS_Microsoft_Windows_Server_2019_v3.0.1_L1_DC.audit

Size: 951 kB

MD5: ba2b634adddb18525030efcb1e01b99c
SHA256: 86c551d78b53fcd2f8371dec5f9e85ed6e4d0096cf45bc0a7d35260a452ec495

Audit Changelog

Ā 
Revision 1.2

Jul 11, 2025

Functional Update
  • 2.3.11.12 (L1) Ensure 'Network security: Restrict NTLM: Audit NTLM authentication in this domain' is set to 'Enable all' (DC only)
Informational Update
  • 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
  • 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
  • 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
  • 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'
  • 17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success'
  • 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'
  • 18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'
  • 18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'
  • 18.10.12.2 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'
  • 18.10.13.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'
  • 18.10.14.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'
  • 18.10.15.1 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'
  • 18.10.15.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
  • 18.10.25.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
  • 18.10.25.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
  • 18.10.25.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
  • 18.10.25.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'
  • 18.10.25.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
  • 18.10.25.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
  • 18.10.25.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'
  • 18.10.25.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'
  • 18.10.28.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'
  • 18.10.41.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'
  • 18.10.42.10.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
  • 18.10.42.10.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled'
  • 18.10.42.10.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'
  • 18.10.42.13.2 (L1) Ensure 'Scan removable drives' is set to 'Enabled'
  • 18.10.42.13.3 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'
  • 18.10.42.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'
  • 18.10.42.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled'
  • 18.10.42.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'
  • 18.10.42.6.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
  • 18.10.42.7.1 (L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'
  • 18.10.5.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
  • 18.10.50.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'
  • 18.10.56.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'
  • 18.10.56.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'
  • 18.10.56.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'
  • 18.10.56.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'
  • 18.10.57.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
  • 18.10.7.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
  • 18.10.7.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'
  • 18.10.75.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'
  • 18.10.79.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
  • 18.10.8.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'
  • 18.10.80.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'
  • 18.10.81.1 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'
  • 18.10.88.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'
  • 18.10.92.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
  • 18.10.92.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'
  • 18.10.92.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled'
  • 18.10.92.4.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'
  • 18.10.92.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
  • 18.4.2 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
  • 18.4.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'
  • 18.4.4 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'
  • 18.4.5 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'
  • 18.4.6 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'
  • 18.4.7 (L1) Ensure 'LSA Protection' is set to 'Enabled'
  • 18.4.8 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'
  • 18.4.9 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'
  • 18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'
  • 18.5.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'
  • 18.5.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
  • 18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'
  • 18.5.4 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'
  • 18.5.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'
  • 18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'
  • 18.5.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'
  • 18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
  • 18.6.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
  • 18.6.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'
  • 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
  • 18.6.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'
  • 18.6.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'
  • 18.7.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
  • 18.7.10 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'
  • 18.7.11 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'
  • 18.7.8 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'
  • 18.7.9 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
  • 18.9.13.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'
  • 18.9.19.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
  • 18.9.19.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
  • 18.9.19.4 (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
  • 18.9.19.5 (L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
  • 18.9.19.6 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'
  • 18.9.24.1 (L1) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
  • 18.9.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
  • 18.9.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'
  • 18.9.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'
  • 18.9.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
  • 18.9.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
  • 18.9.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
  • 18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled'
  • 18.9.33.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'
  • 18.9.33.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'
  • 18.9.35.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'
  • 18.9.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'
  • 18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'
  • 18.9.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'
  • 18.9.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'
  • 19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'
  • 19.7.5.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
  • 19.7.8.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled'
  • 19.7.8.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
  • 2.2.11 (L1) Ensure 'Back up files and directories' is set to 'Administrators'
  • 2.2.15 (L1) Ensure 'Create a token object' is set to 'No One'
  • 2.2.16 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'
  • 2.2.20 (L1) Ensure 'Debug programs' is set to 'Administrators'
  • 2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)
  • 2.2.23 (L1) Ensure 'Deny log on as a batch job' to include 'Guests'
  • 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)
  • 2.2.28 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)
  • 2.2.31 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'
  • 2.2.32 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)
  • 2.2.35 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'
  • 2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers' (DC only)
  • 2.2.4 (L1) Ensure 'Act as part of the operating system' is set to 'No One'
  • 2.2.41 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'
  • 2.2.45 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
  • 2.2.46 (L1) Ensure 'Restore files and directories' is set to 'Administrators'
  • 2.2.49 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'
  • 2.2.5 (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)
  • 2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
  • 2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)
  • 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)
  • 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths' is configured
  • 2.3.10.9 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured
  • 2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
  • 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
  • 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'
  • 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
  • 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
  • 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
  • 2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'
  • 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'
  • 2.3.5.2 (L1) Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)
  • 2.3.5.3 (L1) Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only)
  • 2.3.5.4 (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)
  • 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'
  • 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'
  • 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
  • 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'
  • 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
  • 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'
  • 5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)
Miscellaneous
  • References updated.
Added
  • '18.6.14.1 (L1) Ensure \'Hardened UNC Paths\' is set to \'Enabled, with \'Require Mutual Authentication\', \'Require Integrity\', and \'Require Privacy\' set for all NETLOGON and SYSVOL shares\''
Removed
  • 18.6.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with 'Require Mutual Authentication', 'Require Integrity', and 'Require Privacy' set for all NETLOGON and SYSVOL shares'
Revision 1.1

Jan 6, 2025

Miscellaneous
  • Metadata updated.
  • References updated.