| DISA_STIG_Microsoft_Windows_Server_2025_v1r1.audit from DISA Microsoft Windows Server 2025 STIG v1r1 | |
| WN25-00-000001 - Windows Server 2025 must install security-relevant software updates within 30 days unless the time period is directed by an authoritative source (e.g., IAVM, CTOs, DTMs, STIGs). | SYSTEM AND INFORMATION INTEGRITY |
| WN25-00-000002 - Windows Server 2025 must prohibit the use or connection of unauthorized hardware components. | CONFIGURATION MANAGEMENT |
| WN25-00-000010 - Windows Server 2025 users with administrative privileges must have separate accounts for administrative duties and normal operational tasks. | CONFIGURATION MANAGEMENT |
| WN25-00-000020 - Windows Server 2025 passwords for the built-in Administrator account must be changed at least every 60 days. | IDENTIFICATION AND AUTHENTICATION |
| WN25-00-000030 - Windows Server 2025 administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| WN25-00-000040 - Windows Server 2025 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | CONFIGURATION MANAGEMENT |
| WN25-00-000050 - Windows Server 2025 manually managed application account passwords must be at least 15 characters in length. | IDENTIFICATION AND AUTHENTICATION |
| WN25-00-000060 - Windows Server 2025 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | CONFIGURATION MANAGEMENT |
| WN25-00-000070 - Windows Server 2025 shared user accounts must not be permitted. | IDENTIFICATION AND AUTHENTICATION |
| WN25-00-000080 - Windows Server 2025 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | CONFIGURATION MANAGEMENT |
| WN25-00-000090 - Windows Server 2025 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | CONFIGURATION MANAGEMENT |
| WN25-00-000110 - Windows Server 2025 must use an antivirus program. | CONFIGURATION MANAGEMENT |
| WN25-00-000120 - Windows Server 2025 must have a host-based intrusion detection and prevention service (IDPS) installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000130 - Windows Server 2025 local volumes must use a format that supports New Technology File System (NTFS) attributes. | ACCESS CONTROL |
| WN25-00-000140 - Windows Server 2025 permissions for the system drive root directory (usually C:\) must conform to minimum requirements. | ACCESS CONTROL |
| WN25-00-000150 - Windows Server 2025 permissions for program file directories must conform to minimum requirements. | ACCESS CONTROL |
| WN25-00-000160 - Windows Server 2025 permissions for the Windows installation directory must conform to minimum requirements. | ACCESS CONTROL |
| WN25-00-000170 - Windows Server 2025 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | ACCESS CONTROL |
| WN25-00-000180 - Windows Server 2025 nonadministrative accounts or groups must only have print permissions on printer shares. | ACCESS CONTROL |
| WN25-00-000190 - Outdated or unused accounts on Windows Server 2025 must be removed or disabled. | ACCESS CONTROL |
| WN25-00-000200 - Windows Server 2025 accounts must require passwords. | IDENTIFICATION AND AUTHENTICATION |
| WN25-00-000210 - Windows Server 2025 passwords must be configured to expire. | IDENTIFICATION AND AUTHENTICATION |
| WN25-00-000220 - Windows Server 2025 system files must be monitored for unauthorized changes. | CONFIGURATION MANAGEMENT |
| WN25-00-000230 - Windows Server 2025 nonsystem-created file shares must limit access to groups that require it. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN25-00-000240 - Windows Server 2025 must have software certificate installation files removed. | CONFIGURATION MANAGEMENT |
| WN25-00-000250 - Windows Server 2025 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN25-00-000260 - Windows Server 2025 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN25-00-000270 - Windows Server 2025 must have the roles and features required by the system documented. | CONFIGURATION MANAGEMENT |
| WN25-00-000280 - Windows Server 2025 must have a host-based firewall installed and enabled. | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN25-00-000300 - Windows Server 2025 must automatically remove or disable temporary user accounts after 72 hours. | ACCESS CONTROL |
| WN25-00-000310 - Windows Server 2025 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | ACCESS CONTROL |
| WN25-00-000320 - Windows Server 2025 must not have the Fax Server role installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000330 - Windows Server 2025 must not have the Microsoft FTP service installed unless required by the organization. | CONFIGURATION MANAGEMENT |
| WN25-00-000332 - Windows Server 2025 must not have Wi-Fi enabled unless required by the organization. | CONFIGURATION MANAGEMENT |
| WN25-00-000333 - Windows Server 2025 must not have Bluetooth enabled unless required by the organization. | CONFIGURATION MANAGEMENT |
| WN25-00-000340 - Windows Server 2025 must not have the Peer Name Resolution Protocol installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000350 - Windows Server 2025 must not have Simple TCP/IP Services installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000360 - Windows Server 2025 must not have the Telnet Client installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000370 - Windows Server 2025 must not have the TFTP Client installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000380 - Windows Server 2025 must not have the Server Message Block (SMB) v1 protocol installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000390 - Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | CONFIGURATION MANAGEMENT |
| WN25-00-000400 - Windows Server 2025 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client. | CONFIGURATION MANAGEMENT |
| WN25-00-000410 - Windows Server 2025 must not have Windows PowerShell 2.0 installed. | CONFIGURATION MANAGEMENT |
| WN25-00-000420 - Windows Server 2025 FTP servers must be configured to prevent anonymous logons. | CONFIGURATION MANAGEMENT |
| WN25-00-000430 - Windows Server 2025 FTP servers must be configured to prevent access to the system drive. | CONFIGURATION MANAGEMENT |
| WN25-00-000440 - The Windows Server 2025 time service must synchronize with an appropriate DOD time source. | AUDIT AND ACCOUNTABILITY |
| WN25-00-000450 - Windows Server 2025 must have orphaned security identifiers (SIDs) removed from user rights. | CONFIGURATION MANAGEMENT |
| WN25-00-000460 - Windows Server 2025 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | CONFIGURATION MANAGEMENT |
| WN25-00-000470 - Windows Server 2025 must have Secure Boot enabled. | CONFIGURATION MANAGEMENT |
