DISA_STIG_Server_2012_and_2012_R2_MS_v3r5.audit from DISA Microsoft Windows Server 2012/2012 R2 Member Server v3r5 STIG

WN12-00-000001 - Server systems must be located in a controlled access area, accessible only to authorized personnel.

CAT|II

CCI|CCI-000366

Rule-ID|SV-225239r569185_rule

STIG-ID|WN12-00-000001

STIG-Legacy|SV-52838

STIG-Legacy|V-1070

Vuln-ID|V-225239

WN12-00-000004 - Users with administrative privilege must be documented.

Rule-ID|SV-225240r569185_rule

STIG-ID|WN12-00-000004

STIG-Legacy|SV-51575

STIG-Legacy|V-36658

Vuln-ID|V-225240

WN12-00-000005 - Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.

CAT|I

Rule-ID|SV-225241r569185_rule

STIG-ID|WN12-00-000005

STIG-Legacy|SV-51576

STIG-Legacy|V-36659

Vuln-ID|V-225241

WN12-00-000006 - Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.

Rule-ID|SV-225242r569185_rule

STIG-ID|WN12-00-000006

STIG-Legacy|SV-51577

STIG-Legacy|V-36666

Vuln-ID|V-225242

WN12-00-000007 - Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.

Rule-ID|SV-225243r793246_rule

STIG-ID|WN12-00-000007

STIG-Legacy|SV-52942

STIG-Legacy|V-14225

Vuln-ID|V-225243

WN12-00-000008 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.

Rule-ID|SV-225244r569185_rule

STIG-ID|WN12-00-000008

STIG-Legacy|SV-51578

STIG-Legacy|V-36451

Vuln-ID|V-225244

WN12-00-000009-01 - Members of the Backup Operators group must be documented.

Rule-ID|SV-225245r569185_rule

STIG-ID|WN12-00-000009-01

STIG-Legacy|SV-52156

STIG-Legacy|V-1168

Vuln-ID|V-225245

WN12-00-000009-02 - Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.

Rule-ID|SV-225246r569185_rule

STIG-ID|WN12-00-000009-02

STIG-Legacy|SV-52157

STIG-Legacy|V-40198

Vuln-ID|V-225246

WN12-00-000010 - Policy must require application account passwords be at least 15 characters in length.

CCI|CCI-000205

Rule-ID|SV-225247r569185_rule

STIG-ID|WN12-00-000010

STIG-Legacy|SV-51579

STIG-Legacy|V-36661

Vuln-ID|V-225247

WN12-00-000011 - Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.

Rule-ID|SV-225248r569185_rule

STIG-ID|WN12-00-000011

STIG-Legacy|SV-51580

STIG-Legacy|V-36662

Vuln-ID|V-225248

WN12-00-000012 - Shared user accounts must not be permitted on the system.

CCI|CCI-000764

Rule-ID|SV-225249r569185_rule

STIG-ID|WN12-00-000012

STIG-Legacy|SV-52839

STIG-Legacy|V-1072

Vuln-ID|V-225249

WN12-00-000013 - Security configuration tools or equivalent processes must be used to configure and maintain platforms for security compliance.

CAT|III

Rule-ID|SV-225250r569185_rule

STIG-ID|WN12-00-000013

STIG-Legacy|SV-52859

STIG-Legacy|V-1128

Vuln-ID|V-225250

WN12-00-000014 - System-level information must be backed up in accordance with local recovery time and recovery point objectives.

Rule-ID|SV-225251r569185_rule

STIG-ID|WN12-00-000014

STIG-Legacy|SV-52841

STIG-Legacy|V-1076

Vuln-ID|V-225251

WN12-00-000015 - User-level information must be backed up in accordance with local recovery time and recovery point objectives.

Rule-ID|SV-225252r569185_rule

STIG-ID|WN12-00-000015

STIG-Legacy|SV-51581

STIG-Legacy|V-36733

Vuln-ID|V-225252

WN12-00-000016 - Backups of system-level information must be protected.

Rule-ID|SV-225253r569185_rule

STIG-ID|WN12-00-000016

STIG-Legacy|SV-52130

STIG-Legacy|V-40172

Vuln-ID|V-225253

WN12-00-000017 - System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.

Rule-ID|SV-225254r569185_rule

STIG-ID|WN12-00-000017

STIG-Legacy|SV-52131

STIG-Legacy|V-40173

Vuln-ID|V-225254

WN12-00-000018 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CCI|CCI-001774

Rule-ID|SV-225255r852179_rule

STIG-ID|WN12-00-000018

STIG-Legacy|SV-72047

STIG-Legacy|V-57637

Vuln-ID|V-225255

WN12-00-000019 - Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.

CCI|CCI-002420

CCI|CCI-002422

Rule-ID|SV-225256r852180_rule

STIG-ID|WN12-00-000019

STIG-Legacy|SV-72051

STIG-Legacy|V-57641

Vuln-ID|V-225256

WN12-00-000020 - Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

CCI|CCI-001199

CCI|CCI-002475

CCI|CCI-002476

Rule-ID|SV-225257r852181_rule

STIG-ID|WN12-00-000020

STIG-Legacy|SV-72055

STIG-Legacy|V-57645

Vuln-ID|V-225257

WN12-00-000100 - The Windows 2012 / 2012 R2 system must use an anti-virus program.

Rule-ID|SV-225258r569185_rule

STIG-ID|WN12-00-000100

STIG-Legacy|SV-52103

STIG-Legacy|V-1074

Vuln-ID|V-225258

WN12-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on Windows 2012 R2.

CCI|CCI-000381

Rule-ID|SV-225259r569185_rule

STIG-ID|WN12-00-000160

STIG-Legacy|SV-88471

STIG-Legacy|V-73805

Vuln-ID|V-225259

WN12-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.

Rule-ID|SV-225260r569185_rule

STIG-ID|WN12-00-000170

STIG-Legacy|SV-88193

STIG-Legacy|V-73519

Vuln-ID|V-225260

WN12-00-000180 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client - LanManWorkstation

Rule-ID|SV-225261r569185_rule

STIG-ID|WN12-00-000180

STIG-Legacy|SV-88205

STIG-Legacy|V-73523

Vuln-ID|V-225261

WN12-00-000180 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client - mrxsmb10

WN12-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 2012 / 2012 R2.

Rule-ID|SV-225262r569185_rule

STIG-ID|WN12-00-000190

STIG-Legacy|SV-90603

STIG-Legacy|V-75915

Vuln-ID|V-225262

WN12-00-000200 - Windows PowerShell must be updated to a version that supports script block logging on Windows 2012/2012 R2.

Rule-ID|SV-225263r569185_rule

STIG-ID|WN12-00-000200

STIG-Legacy|SV-95179

STIG-Legacy|V-80473

Vuln-ID|V-225263

WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Enabled

CCI|CCI-000135

Rule-ID|SV-225264r569185_rule

STIG-ID|WN12-00-000210

STIG-Legacy|SV-95183

STIG-Legacy|V-80475

Vuln-ID|V-225264

WN12-00-000210 - PowerShell script block logging must be enabled on Windows 2012/2012 R2 - Patch

WN12-00-000220 - Windows PowerShell 2.0 must not be installed on Windows 2012/2012 R2.

Rule-ID|SV-225265r569185_rule

STIG-ID|WN12-00-000220

STIG-Legacy|SV-95185

STIG-Legacy|V-80477

Vuln-ID|V-225265

WN12-AC-000001 - Windows 2012 account lockout duration must be configured to 15 minutes or greater.

CCI|CCI-002238

Rule-ID|SV-225266r852182_rule

STIG-ID|WN12-AC-000001

STIG-Legacy|SV-52850

STIG-Legacy|V-1099

Vuln-ID|V-225266

WN12-AC-000002 - The number of allowed bad logon attempts must meet minimum requirements.

CCI|CCI-000044

Rule-ID|SV-225267r569185_rule

STIG-ID|WN12-AC-000002

STIG-Legacy|SV-52848

STIG-Legacy|V-1097

Vuln-ID|V-225267

WN12-AC-000003 - The reset period for the account lockout counter must be configured to 15 minutes or greater on Windows 2012.

Rule-ID|SV-225268r852183_rule

STIG-ID|WN12-AC-000003

STIG-Legacy|SV-52849

STIG-Legacy|V-1098

Vuln-ID|V-225268

WN12-AC-000004 - The password history must be configured to 24 passwords remembered.

CCI|CCI-000200

Detections

Analytics

DISA Windows Server 2012 and 2012 R2 MS STIG v3r5

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Functional Update

Miscellaneous

Revision 1.2

Functional Update

Revision 1.1

Miscellaneous


Revision 1.4 Aug 8, 2023 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.3 Apr 12, 2023 Functional Update WN12-AC-000004 - The password history must be configured to 24 passwords remembered. WN12-AC-000005 - The maximum password age must meet requirements. WN12-AC-000006 - The minimum password age must meet requirements. WN12-AC-000007 - Passwords must, at a minimum, be 14 characters. Miscellaneous Metadata updated. Platform check updated. Variables updated.
Revision 1.2 Mar 8, 2023 Functional Update WN12-CC-000071 - The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. WN12-SO-000067 - The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
Revision 1.1 Mar 7, 2023 Miscellaneous Metadata updated. References updated.