DISA Windows Server 2012 and 2012 R2 DC STIG v3r4

Audit Details

Name: DISA Windows Server 2012 and 2012 R2 DC STIG v3r4

Updated: 9/23/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.2

Estimated Item Count: 396

File Details

Filename: DISA_STIG_Server_2012_and_2012_R2_DC_v3r4.audit

Size: 720 kB

MD5: 2d709b0ac47efff9b8e523e8cd43d273
SHA256: d9754d92befcf4a4c6555fc260138a64bfedf2073ee504178aa426e1d90c028e

Audit Changelog

 
Revision 1.2

Sep 23, 2022

Functional Update
  • WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Patch
  • WN12-AC-000001 - Windows 2012 account lockout duration must be configured to 15 minutes or greater.
  • WN12-AD-000002-DC - The Active Directory SYSVOL directory must have the proper access control permissions.
Revision 1.1

Aug 11, 2022

Functional Update
  • WN12-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
  • WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Patch
  • WN12-AC-000001 - Windows 2012 account lockout duration must be configured to 15 minutes or greater.
  • WN12-GE-000010 - The system must not boot into multiple operating systems (dual-boot).
  • WN12-GE-000014 - Outdated or unused accounts must be removed from the system or disabled.
Informational Update
  • WN12-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.
  • WN12-GE-000010 - The system must not boot into multiple operating systems (dual-boot).
  • WN12-GE-000014 - Outdated or unused accounts must be removed from the system or disabled.
Miscellaneous
  • References updated.
Added
  • WN12-00-000009-01 - Members of the Backup Operators group must be documented.
  • WN12-00-000009-02 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
  • WN12-FW-000001 - A host-based firewall must be installed and enabled on the system.
  • WN12-GE-000012 - Nonadministrative user accounts or groups must only have print permissions on printer shares.
  • WN12-GE-000056 - Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
  • WN12-GE-000057 - Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
Removed
  • WN12-00-000009-01 - Members of the Backup Operators group must be documented.
  • WN12-00-000009-02 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.
  • WN12-FW-000001 - A host-based firewall must be installed and enabled on the system.
  • WN12-GE-000012 - Nonadministrative user accounts or groups must only have print permissions on printer shares.
  • WN12-GE-000056 - Windows 2012 / 2012 R2 must automatically remove or disable temporary user accounts after 72 hours.
  • WN12-GE-000057 - Windows 2012 / 2012 R2 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.
Revision 1.0

Jun 28, 2022

Functional Update
  • WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Patch
  • WN12-AC-000001 - Windows 2012 account lockout duration must be configured to 15 minutes or greater.