DISA_STIG_Windows_11_v1r2.audit from DISA Microsoft Windows 11 v1r2 STIG

WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version - 64-bit

CAT|II

CCI|CCI-000366

Rule-ID|SV-253254r828846_rule

STIG-ID|WN11-00-000005

Vuln-ID|V-253254

WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version.

WN11-00-000010 - Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled.

CCI|CCI-002421

Rule-ID|SV-253255r828849_rule

STIG-ID|WN11-00-000010

Vuln-ID|V-253255

WN11-00-000015 - Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.

Rule-ID|SV-253256r828852_rule

STIG-ID|WN11-00-000015

Vuln-ID|V-253256

WN11-00-000020 - Secure Boot must be enabled on Windows 11 systems.

Rule-ID|SV-253257r828855_rule

STIG-ID|WN11-00-000020

Vuln-ID|V-253257

WN11-00-000025 - Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP).

CCI|CCI-001233

Rule-ID|SV-253258r828858_rule

STIG-ID|WN11-00-000025

Vuln-ID|V-253258

WN11-00-000030 - Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.

CCI|CCI-002475

Rule-ID|SV-253259r828861_rule

STIG-ID|WN11-00-000030

Vuln-ID|V-253259

WN11-00-000031 - Windows 11 systems must use a BitLocker PIN for pre-boot authentication - UseAdvancedStartup

CCI|CCI-002476

Rule-ID|SV-253260r828864_rule

STIG-ID|WN11-00-000031

Vuln-ID|V-253260

WN11-00-000031 - Windows 11 systems must use a BitLocker PIN for pre-boot authentication - UseTPMPin / UseTPMKeyPin

WN11-00-000032 - Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication.

CCI|CCI-000804

Rule-ID|SV-253261r828867_rule

STIG-ID|WN11-00-000032

Vuln-ID|V-253261

WN11-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CCI|CCI-001774

Rule-ID|SV-253262r828870_rule

STIG-ID|WN11-00-000035

Vuln-ID|V-253262

WN11-00-000040 - Windows 11 systems must be maintained at a supported servicing level.

CAT|I

Rule-ID|SV-253263r828873_rule

STIG-ID|WN11-00-000040

Vuln-ID|V-253263

WN11-00-000045 - The Windows 11 system must use an antivirus program.

Rule-ID|SV-253264r828876_rule

STIG-ID|WN11-00-000045

Vuln-ID|V-253264

WN11-00-000050 - Local volumes must be formatted using NTFS.

CCI|CCI-000213

Rule-ID|SV-253265r828879_rule

STIG-ID|WN11-00-000050

Vuln-ID|V-253265

WN11-00-000055 - Alternate operating systems must not be permitted on the same system.

Rule-ID|SV-253266r828882_rule

STIG-ID|WN11-00-000055

Vuln-ID|V-253266

WN11-00-000060 - Non-system-created file shares on a system must limit access to groups that require it.

CCI|CCI-001090

Rule-ID|SV-253267r828885_rule

STIG-ID|WN11-00-000060

Vuln-ID|V-253267

WN11-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity.

CAT|III

CCI|CCI-000172

CCI|CCI-000795

Rule-ID|SV-253268r828888_rule

STIG-ID|WN11-00-000065

Vuln-ID|V-253268

WN11-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system.

CCI|CCI-002165

Rule-ID|SV-253269r828891_rule

STIG-ID|WN11-00-000070

Vuln-ID|V-253269

WN11-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group.

Rule-ID|SV-253270r828894_rule

STIG-ID|WN11-00-000075

Vuln-ID|V-253270

WN11-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems.

Rule-ID|SV-253271r828897_rule

STIG-ID|WN11-00-000080

Vuln-ID|V-253271

WN11-00-000085 - Standard local user accounts must not exist on a system in a domain.

Rule-ID|SV-253272r828900_rule

STIG-ID|WN11-00-000085

Vuln-ID|V-253272

WN11-00-000090 - Accounts must be configured to require password expiration.

CCI|CCI-000199

Rule-ID|SV-253273r828903_rule

STIG-ID|WN11-00-000090

Vuln-ID|V-253273

WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\

Rule-ID|SV-253274r840169_rule

STIG-ID|WN11-00-000095

Vuln-ID|V-253274

WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Program Files

WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements - C:\Windows

WN11-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

CCI|CCI-000381

Rule-ID|SV-253275r828909_rule

STIG-ID|WN11-00-000100

Vuln-ID|V-253275

WN11-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system.

CCI|CCI-000382

Rule-ID|SV-253276r828912_rule

STIG-ID|WN11-00-000105

Vuln-ID|V-253276

WN11-00-000110 - Simple TCP/IP Services must not be installed on the system.

Rule-ID|SV-253277r828915_rule

STIG-ID|WN11-00-000110

Vuln-ID|V-253277

WN11-00-000115 - The Telnet Client must not be installed on the system.

Rule-ID|SV-253278r828918_rule

STIG-ID|WN11-00-000115

Vuln-ID|V-253278

WN11-00-000120 - The TFTP Client must not be installed on the system.

Rule-ID|SV-253279r828921_rule

STIG-ID|WN11-00-000120

Vuln-ID|V-253279

WN11-00-000130 - Software certificate installation files must be removed from Windows 11.

Rule-ID|SV-253280r828924_rule

STIG-ID|WN11-00-000130

Vuln-ID|V-253280

WN11-00-000135 - A host-based firewall must be installed and enabled on the system.

Rule-ID|SV-253281r828927_rule

STIG-ID|WN11-00-000135

Vuln-ID|V-253281

WN11-00-000140 - Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts.

Rule-ID|SV-253282r828930_rule

STIG-ID|WN11-00-000140

Vuln-ID|V-253282

WN11-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut.

CCI|CCI-002824

Rule-ID|SV-253283r828933_rule

STIG-ID|WN11-00-000145

Vuln-ID|V-253283

WN11-00-000150 - Structured Exception Handling Overwrite Protection (SEHOP) must be enabled.

Rule-ID|SV-253284r828936_rule

STIG-ID|WN11-00-000150

Vuln-ID|V-253284

WN11-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system.

Rule-ID|SV-253285r828939_rule

STIG-ID|WN11-00-000155

Vuln-ID|V-253285

WN11-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system.

Rule-ID|SV-253286r828942_rule

STIG-ID|WN11-00-000160

Vuln-ID|V-253286

WN11-00-000165 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.

Rule-ID|SV-253287r828945_rule

STIG-ID|WN11-00-000165

Vuln-ID|V-253287

WN11-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.

Rule-ID|SV-253288r828948_rule

STIG-ID|WN11-00-000170

Vuln-ID|V-253288

WN11-00-000175 - The Secondary Logon service must be disabled on Windows 11.

Rule-ID|SV-253289r828951_rule

STIG-ID|WN11-00-000175

Vuln-ID|V-253289

WN11-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11.

Rule-ID|SV-253290r828954_rule

STIG-ID|WN11-00-000190

Vuln-ID|V-253290

WN11-00-000210 - Bluetooth must be turned off unless approved by the organization.

Rule-ID|SV-253291r828957_rule

STIG-ID|WN11-00-000210

Vuln-ID|V-253291

WN11-00-000220 - Bluetooth must be turned off when not in use.

Rule-ID|SV-253292r828960_rule

STIG-ID|WN11-00-000220

Vuln-ID|V-253292

WN11-00-000230 - The system must notify the user when a Bluetooth device attempts to connect.

Rule-ID|SV-253293r840170_rule

STIG-ID|WN11-00-000230

Vuln-ID|V-253293

WN11-00-000240 - Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email.

Rule-ID|SV-253294r828966_rule

STIG-ID|WN11-00-000240

Vuln-ID|V-253294

WN11-00-000250 - Windows 11 non-persistent VM sessions must not exceed 24 hours.

CCI|CCI-001199

Rule-ID|SV-253295r828969_rule

STIG-ID|WN11-00-000250

Vuln-ID|V-253295

WN11-00-000260 - The Windows 11 time service must synchronize with an appropriate DoD time source.

CCI|CCI-001891

Rule-ID|SV-253296r828972_rule

STIG-ID|WN11-00-000260

Vuln-ID|V-253296

WN11-AC-000005 - Windows 11 account lockout duration must be configured to 15 minutes or greater.

Detections

Analytics

DISA Windows 11 STIG v1r2

Warning! Audit Deprecated

Audit Details

Audit Changelog

Revision 1.5

Miscellaneous

Revision 1.4

Functional Update

Miscellaneous

Revision 1.3

Functional Update

Revision 1.2

Miscellaneous

Revision 1.1

Functional Update

Miscellaneous


Revision 1.5 Aug 8, 2023 Miscellaneous Audit deprecated. Metadata updated. References updated.
Revision 1.4 Apr 12, 2023 Functional Update WN11-AC-000020 - The password history must be configured to 24 passwords remembered. WN11-AC-000025 - The maximum password age must be configured to 60 days or less. WN11-AC-000030 - The minimum password age must be configured to at least 1 day. WN11-AC-000035 - Passwords must, at a minimum, be 14 characters. Miscellaneous Metadata updated. Variables updated.
Revision 1.3 Mar 8, 2023 Functional Update WN11-CC-000175 - The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. WN11-CC-000285 - The Remote Desktop Session Host must require secure RPC communications. WN11-SO-000015 - Local accounts with blank passwords must be restricted to prevent access from the network. WN11-SO-000205 - The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
Revision 1.2 Mar 7, 2023 Miscellaneous Metadata updated. References updated.
Revision 1.1 Feb 3, 2023 Functional Update WN11-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system. Miscellaneous Variables updated.