DISA_STIG_Windows_10_v2r5.audit from DISA Microsoft Windows 10 v2r5 STIG

WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version - 64-bit

CAT|II

CCI|CCI-000366

Rule-ID|SV-220697r857178_rule

STIG-ID|WN10-00-000005

STIG-Legacy|SV-77809

STIG-Legacy|V-63319

Vuln-ID|V-220697

WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.

WN10-00-000010 - Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use - TPM enabled and ready for use.

Rule-ID|SV-220698r857181_rule

STIG-ID|WN10-00-000010

STIG-Legacy|SV-77813

STIG-Legacy|V-63323

Vuln-ID|V-220698

WN10-00-000015 - Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

Rule-ID|SV-220699r569187_rule

STIG-ID|WN10-00-000015

STIG-Legacy|SV-91779

STIG-Legacy|V-77083

Vuln-ID|V-220699

WN10-00-000020 - Secure Boot must be enabled on Windows 10 systems.

CAT|III

Rule-ID|SV-220700r569187_rule

STIG-ID|WN10-00-000020

STIG-Legacy|SV-91781

STIG-Legacy|V-77085

Vuln-ID|V-220700

WN10-00-000025 - Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP) - CNDSP.

CCI|CCI-001233

Rule-ID|SV-220701r793197_rule

STIG-ID|WN10-00-000025

STIG-Legacy|SV-77833

STIG-Legacy|V-63343

Vuln-ID|V-220701

WN10-00-000030 - Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.

CCI|CCI-001199

CCI|CCI-002475

CCI|CCI-002476

Rule-ID|SV-220702r859296_rule

STIG-ID|WN10-00-000030

STIG-Legacy|SV-77827

STIG-Legacy|V-63337

Vuln-ID|V-220702

WN10-00-000031 - Windows 10 systems must use a BitLocker PIN for pre-boot authentication - UseAdvancedStartup

Rule-ID|SV-220703r859157_rule

STIG-ID|WN10-00-000031

STIG-Legacy|SV-104689

STIG-Legacy|V-94859

Vuln-ID|V-220703

WN10-00-000031 - Windows 10 systems must use a BitLocker PIN for pre-boot authentication - UseTPMPin / UseTPMKeyPin

WN10-00-000032 - Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.

Rule-ID|SV-220704r859297_rule

STIG-ID|WN10-00-000032

STIG-Legacy|SV-104691

STIG-Legacy|V-94861

Vuln-ID|V-220704

WN10-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CCI|CCI-001774

Rule-ID|SV-220705r851963_rule

STIG-ID|WN10-00-000035

STIG-Legacy|SV-77835

STIG-Legacy|V-63345

Vuln-ID|V-220705

WN10-00-000040 - Windows 10 systems must be maintained at a supported servicing level.

CAT|I

Rule-ID|SV-220706r857183_rule

STIG-ID|WN10-00-000040

STIG-Legacy|SV-77839

STIG-Legacy|V-63349

Vuln-ID|V-220706

WN10-00-000045 - The Windows 10 system must use an anti-virus program.

Rule-ID|SV-220707r793194_rule

STIG-ID|WN10-00-000045

STIG-Legacy|SV-77841

STIG-Legacy|V-63351

Vuln-ID|V-220707

WN10-00-000050 - Local volumes must be formatted using NTFS.

CCI|CCI-000213

Rule-ID|SV-220708r569187_rule

STIG-ID|WN10-00-000050

STIG-Legacy|SV-77843

STIG-Legacy|V-63353

Vuln-ID|V-220708

WN10-00-000055 - Alternate operating systems must not be permitted on the same system.

Rule-ID|SV-220709r569187_rule

STIG-ID|WN10-00-000055

STIG-Legacy|SV-77845

STIG-Legacy|V-63355

Vuln-ID|V-220709

WN10-00-000060 - Non system-created file shares on a system must limit access to groups that require it.

CCI|CCI-001090

Rule-ID|SV-220710r569187_rule

STIG-ID|WN10-00-000060

STIG-Legacy|SV-77847

STIG-Legacy|V-63357

Vuln-ID|V-220710

WN10-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity.

CCI|CCI-000795

Rule-ID|SV-220711r569187_rule

STIG-ID|WN10-00-000065

STIG-Legacy|SV-77849

STIG-Legacy|V-63359

Vuln-ID|V-220711

WN10-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system.

CCI|CCI-002235

Rule-ID|SV-220712r851964_rule

STIG-ID|WN10-00-000070

STIG-Legacy|SV-77851

STIG-Legacy|V-63361

Vuln-ID|V-220712

WN10-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group.

Rule-ID|SV-220713r569187_rule

STIG-ID|WN10-00-000075

STIG-Legacy|SV-77853

STIG-Legacy|V-63363

Vuln-ID|V-220713

WN10-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.

CCI|CCI-000381

Rule-ID|SV-220714r569187_rule

STIG-ID|WN10-00-000080

STIG-Legacy|SV-77855

STIG-Legacy|V-63365

Vuln-ID|V-220714

WN10-00-000085 - Standard local user accounts must not exist on a system in a domain.

Rule-ID|SV-220715r569187_rule

STIG-ID|WN10-00-000085

STIG-Legacy|SV-77857

STIG-Legacy|V-63367

Vuln-ID|V-220715

WN10-00-000090 - Accounts must be configured to require password expiration.

CCI|CCI-000199

Rule-ID|SV-220716r569187_rule

STIG-ID|WN10-00-000090

STIG-Legacy|SV-77861

STIG-Legacy|V-63371

Vuln-ID|V-220716

WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\

CCI|CCI-002165

Rule-ID|SV-220717r851965_rule

STIG-ID|WN10-00-000095

STIG-Legacy|SV-77863

STIG-Legacy|V-63373

Vuln-ID|V-220717

WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Program Files

WN10-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Windows

WN10-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

Rule-ID|SV-220718r569187_rule

STIG-ID|WN10-00-000100

STIG-Legacy|SV-77867

STIG-Legacy|V-63377

Vuln-ID|V-220718

WN10-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system.

CCI|CCI-000382

Rule-ID|SV-220719r569187_rule

STIG-ID|WN10-00-000105

STIG-Legacy|SV-77871

STIG-Legacy|V-63381

Vuln-ID|V-220719

WN10-00-000110 - Simple TCP/IP Services must not be installed on the system.

Rule-ID|SV-220720r569187_rule

STIG-ID|WN10-00-000110

STIG-Legacy|SV-77873

STIG-Legacy|V-63383

Vuln-ID|V-220720

WN10-00-000115 - The Telnet Client must not be installed on the system.

Rule-ID|SV-220721r569187_rule

STIG-ID|WN10-00-000115

STIG-Legacy|SV-77875

STIG-Legacy|V-63385

Vuln-ID|V-220721

WN10-00-000120 - The TFTP Client must not be installed on the system.

Rule-ID|SV-220722r569187_rule

STIG-ID|WN10-00-000120

STIG-Legacy|SV-77879

STIG-Legacy|V-63389

Vuln-ID|V-220722

WN10-00-000130 - Software certificate installation files must be removed from Windows 10.

Rule-ID|SV-220723r569187_rule

STIG-ID|WN10-00-000130

STIG-Legacy|SV-77883

STIG-Legacy|V-63393

Vuln-ID|V-220723

WN10-00-000135 - A host-based firewall must be installed and enabled on the system.

Rule-ID|SV-220724r569187_rule

STIG-ID|WN10-00-000135

STIG-Legacy|SV-77889

STIG-Legacy|V-63399

Vuln-ID|V-220724

WN10-00-000140 - Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts.

Rule-ID|SV-220725r569187_rule

STIG-ID|WN10-00-000140

STIG-Legacy|SV-77893

STIG-Legacy|V-63403

Vuln-ID|V-220725

WN10-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut.

CCI|CCI-002824

Rule-ID|SV-220726r851966_rule

STIG-ID|WN10-00-000145

STIG-Legacy|SV-83439

Detections

Analytics

DISA Windows 10 STIG v2r5

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.4

Miscellaneous

Revision 1.3

Functional Update

Miscellaneous

Revision 1.2

Functional Update

Revision 1.1

Miscellaneous


Revision 1.4 Aug 8, 2023 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.3 Apr 12, 2023 Functional Update WN10-AC-000020 - The password history must be configured to 24 passwords remembered. WN10-AC-000025 - The maximum password age must be configured to 60 days or less. WN10-AC-000030 - The minimum password age must be configured to at least 1 day. WN10-AC-000035 - Passwords must, at a minimum, be 14 characters. Miscellaneous Metadata updated. Platform check updated. Variables updated.
Revision 1.2 Mar 8, 2023 Functional Update WN10-CC-000175 - The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. WN10-CC-000285 - The Remote Desktop Session Host must require secure RPC communications. WN10-SO-000015 - Local accounts with blank passwords must be restricted to prevent access from the network. WN10-SO-000205 - The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
Revision 1.1 Mar 7, 2023 Miscellaneous Metadata updated. References updated.