DISA_STIG_Windows_11_v2r1.audit from DISA Microsoft Windows 11 v2r1 STIG | |
WN11-00-000005 - Domain-joined systems must use Windows 11 Enterprise Edition 64-bit version. | CONFIGURATION MANAGEMENT |
WN11-00-000010 - Windows 11 domain-joined systems must have a Trusted Platform Module (TPM) enabled. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000015 - Windows 11 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000020 - Secure Boot must be enabled on Windows 11 systems. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000025 - Windows 11 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: Continuously, where ESS is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | CONFIGURATION MANAGEMENT |
WN11-00-000030 - Windows 11 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000031 - Windows 11 systems must use a BitLocker PIN for pre-boot authentication. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000032 - Windows 11 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication. | IDENTIFICATION AND AUTHENTICATION |
WN11-00-000035 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | CONFIGURATION MANAGEMENT |
WN11-00-000040 - Windows 11 systems must be maintained at a supported servicing level. | CONFIGURATION MANAGEMENT |
WN11-00-000045 - The Windows 11 system must use an antivirus program. | CONFIGURATION MANAGEMENT |
WN11-00-000050 - Local volumes must be formatted using NTFS. | ACCESS CONTROL |
WN11-00-000055 - Alternate operating systems must not be permitted on the same system. | CONFIGURATION MANAGEMENT |
WN11-00-000060 - Non-system-created file shares on a system must limit access to groups that require it. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000065 - Unused accounts must be disabled or removed from the system after 35 days of inactivity. | AUDIT AND ACCOUNTABILITY |
WN11-00-000070 - Only accounts responsible for the administration of a system must have Administrator rights on the system. | ACCESS CONTROL |
WN11-00-000075 - Only accounts responsible for the backup operations must be members of the Backup Operators group. | CONFIGURATION MANAGEMENT |
WN11-00-000080 - Only authorized user accounts must be allowed to create or run virtual machines on Windows 11 systems. | ACCESS CONTROL |
WN11-00-000085 - Standard local user accounts must not exist on a system in a domain. | CONFIGURATION MANAGEMENT |
WN11-00-000090 - Accounts must be configured to require password expiration. | IDENTIFICATION AND AUTHENTICATION |
WN11-00-000095 - Permissions for system files and directories must conform to minimum requirements. | ACCESS CONTROL |
WN11-00-000100 - Internet Information System (IIS) or its subcomponents must not be installed on a workstation. | CONFIGURATION MANAGEMENT |
WN11-00-000105 - Simple Network Management Protocol (SNMP) must not be installed on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000110 - Simple TCP/IP Services must not be installed on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000115 - The Telnet Client must not be installed on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000120 - The TFTP Client must not be installed on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000130 - Software certificate installation files must be removed from Windows 11. | CONFIGURATION MANAGEMENT |
WN11-00-000135 - A host-based firewall must be installed and enabled on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000140 - Inbound exceptions to the firewall on Windows 11 domain workstations must only allow authorized remote management hosts. | CONFIGURATION MANAGEMENT |
WN11-00-000145 - Data Execution Prevention (DEP) must be configured to at least OptOut. | SYSTEM AND INFORMATION INTEGRITY |
WN11-00-000150 - Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. | SYSTEM AND INFORMATION INTEGRITY |
WN11-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000160 - The Server Message Block (SMB) v1 protocol must be disabled on the system. | CONFIGURATION MANAGEMENT |
WN11-00-000165 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. | CONFIGURATION MANAGEMENT |
WN11-00-000170 - The Server Message Block (SMB) v1 protocol must be disabled on the SMB client. | CONFIGURATION MANAGEMENT |
WN11-00-000175 - The Secondary Logon service must be disabled on Windows 11. | CONFIGURATION MANAGEMENT |
WN11-00-000190 - Orphaned security identifiers (SIDs) must be removed from user rights on Windows 11. | CONFIGURATION MANAGEMENT |
WN11-00-000210 - Bluetooth must be turned off unless approved by the organization. | CONFIGURATION MANAGEMENT |
WN11-00-000220 - Bluetooth must be turned off when not in use. | CONFIGURATION MANAGEMENT |
WN11-00-000230 - The system must notify the user when a Bluetooth device attempts to connect. | CONFIGURATION MANAGEMENT |
WN11-00-000240 - Administrative accounts must not be used with applications that access the internet, such as web browsers, or with potential internet sources, such as email. | CONFIGURATION MANAGEMENT |
WN11-00-000250 - Windows 11 nonpersistent VM sessions must not exceed 24 hours. | SYSTEM AND COMMUNICATIONS PROTECTION |
WN11-00-000260 - The Windows 11 time service must synchronize with an appropriate DOD time source. | AUDIT AND ACCOUNTABILITY |
WN11-00-000395 - Windows 11 must not have portproxy enabled or in use. | CONFIGURATION MANAGEMENT |
WN11-AC-000005 - Windows 11 account lockout duration must be configured to 15 minutes or greater. | ACCESS CONTROL |
WN11-AC-000010 - The number of allowed bad logon attempts must be configured to three or less. | ACCESS CONTROL |
WN11-AC-000015 - The period of time before the bad logon counter is reset must be configured to 15 minutes. | ACCESS CONTROL |
WN11-AC-000020 - The password history must be configured to 24 passwords remembered. | IDENTIFICATION AND AUTHENTICATION |
WN11-AC-000025 - The maximum password age must be configured to 60 days or less. | IDENTIFICATION AND AUTHENTICATION |