DISA Windows 11 STIG v1r1

Audit Details

Name: DISA Windows 11 STIG v1r1

Updated: 10/18/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.0

Estimated Item Count: 274

File Details

Filename: DISA_STIG_Windows_11_v1r1.audit

Size: 506 kB

MD5: d759ba3d6a607b4d551fb660b90dc322
SHA256: eb86547f1574611fadaad2af6b4325519198e72562d1dcb0c2900b01a6c37da1

Audit Items

DescriptionCategories
DISA_STIG_Windows_11_v1r1.audit from DISA Microsoft Windows 11 v1r1 STIG
WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version - 64-bit

CONFIGURATION MANAGEMENT

WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.

CONFIGURATION MANAGEMENT

WN11-00-000010 - Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000015 - Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000020 - Secure Boot must be enabled on Windows 11 systems.

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000025 - Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

SYSTEM AND INFORMATION INTEGRITY

WN11-00-000030 - Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000031 - Windows 11 systems must use a BitLocker PIN for pre-boot authentication - UseAdvancedStartup

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000031 - Windows 11 systems must use a BitLocker PIN for pre-boot authentication - UseTPMPin / UseTPMKeyPin

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000032 - Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.

IDENTIFICATION AND AUTHENTICATION

WN11-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CONFIGURATION MANAGEMENT

WN11-00-000040 - Windows 11 systems must be maintained at a supported servicing level.

CONFIGURATION MANAGEMENT

WN11-00-000045 - The Windows 11 system must use an antivirus program.

CONFIGURATION MANAGEMENT

WN11-00-000050 - Local volumes must be formatted using NTFS.

ACCESS CONTROL

WN11-00-000055 - Alternate operating systems must not be permitted on the same system.

CONFIGURATION MANAGEMENT

WN11-00-000060 - Non-system-created file shares on a system must limit access to groups that require it.

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity.

AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION

WN11-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system.

ACCESS CONTROL

WN11-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group.

CONFIGURATION MANAGEMENT

WN11-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.

ACCESS CONTROL

WN11-00-000085 - Standard local user accounts must not exist on a system in a domain.

CONFIGURATION MANAGEMENT

WN11-00-000090 - Accounts must be configured to require password expiration.

IDENTIFICATION AND AUTHENTICATION

WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\

ACCESS CONTROL

WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Program Files

ACCESS CONTROL

WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Windows

ACCESS CONTROL

WN11-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

CONFIGURATION MANAGEMENT

WN11-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system.

CONFIGURATION MANAGEMENT

WN11-00-000110 - Simple TCP/IP Services must not be installed on the system.

CONFIGURATION MANAGEMENT

WN11-00-000115 - The Telnet Client must not be installed on the system.

CONFIGURATION MANAGEMENT

WN11-00-000120 - The TFTP Client must not be installed on the system.

CONFIGURATION MANAGEMENT

WN11-00-000130 - Software certificate installation files must be removed from Windows 11.

CONFIGURATION MANAGEMENT

WN11-00-000135 - A host-based firewall must be installed and enabled on the system.

CONFIGURATION MANAGEMENT

WN11-00-000140 - Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.

CONFIGURATION MANAGEMENT

WN11-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut.

INCIDENT RESPONSE

WN11-00-000150 - Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.

INCIDENT RESPONSE

WN11-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system.

CONFIGURATION MANAGEMENT

WN11-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system.

CONFIGURATION MANAGEMENT

WN11-00-000165 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.

CONFIGURATION MANAGEMENT

WN11-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.

CONFIGURATION MANAGEMENT

WN11-00-000175 - The Secondary Logon service must be disabled on Windows 11.

CONFIGURATION MANAGEMENT

WN11-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.

CONFIGURATION MANAGEMENT

WN11-00-000210 - Bluetooth must be turned off unless approved by the organization.

CONFIGURATION MANAGEMENT

WN11-00-000220 - Bluetooth must be turned off when not in use.

CONFIGURATION MANAGEMENT

WN11-00-000230 - The system must notify the user when a Bluetooth device attempts to connect.

CONFIGURATION MANAGEMENT

WN11-00-000240 - Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.

CONFIGURATION MANAGEMENT

WN11-00-000250 - Windows 11 non-persistent VM sessions must not exceed 24 hours.

SYSTEM AND COMMUNICATIONS PROTECTION

WN11-00-000260 - The Windows 11 time service must synchronize with an appropriate DoD time source.

AUDIT AND ACCOUNTABILITY

WN11-AC-000005 - Windows 11 account lockout duration must be configured to 15 minutes or greater.

ACCESS CONTROL

WN11-AC-000010 - The number of allowed bad logon attempts must be configured to three or less.

ACCESS CONTROL