DISA Windows Server 2019 STIG v2r4

Audit Details

Name: DISA Windows Server 2019 STIG v2r4

Updated: 10/4/2022

Authority: DISA STIG

Plugin: Windows

Revision: 1.4

Estimated Item Count: 288

File Details

Filename: DISA_STIG_Windows_Server_2019_v2r4.audit

Size: 758 kB

MD5: 4b436735dbfa5be4d438601f6206bebc
SHA256: 61cf096ebe063423a4ae607010a5c3e36b676f41c50ad42696fb743aae5cc384

Audit Items

DescriptionCategories
DISA_STIG_Windows_Server_2019_v2r4.audit from DISA Microsoft Windows Server 2019 v2r4 STIG
WN19-00-000010 - Windows Server 2019 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.

CONFIGURATION MANAGEMENT

WN19-00-000020 - Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days.

IDENTIFICATION AND AUTHENTICATION

WN19-00-000030 - Windows Server 2019 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.

CONFIGURATION MANAGEMENT

WN19-00-000040 - Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks.

CONFIGURATION MANAGEMENT

WN19-00-000050 - Windows Server 2019 manually managed application account passwords must be at least 15 characters in length.

IDENTIFICATION AND AUTHENTICATION

WN19-00-000060 - Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.

CONFIGURATION MANAGEMENT

WN19-00-000070 - Windows Server 2019 shared user accounts must not be permitted.

IDENTIFICATION AND AUTHENTICATION

WN19-00-000080 - Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

CONFIGURATION MANAGEMENT

WN19-00-000090 - Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. - TpmPresent

CONFIGURATION MANAGEMENT

WN19-00-000090 - Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. - TpmReady

CONFIGURATION MANAGEMENT

WN19-00-000100 - Windows Server 2019 must be maintained at a supported servicing level.

CONFIGURATION MANAGEMENT

WN19-00-000110 - Windows Server 2019 must use an anti-virus program.

CONFIGURATION MANAGEMENT

WN19-00-000120 - Windows Server 2019 must have a host-based intrusion detection or prevention system.

CONFIGURATION MANAGEMENT

WN19-00-000130 - Windows Server 2019 local volumes must use a format that supports NTFS attributes.

ACCESS CONTROL

WN19-00-000140 - Windows Server 2019 permissions for the system drive root directory (usually C:\) must conform to minimum requirements.

ACCESS CONTROL

WN19-00-000150 - Windows Server 2019 permissions for program file directories must conform to minimum requirements - Program Files

ACCESS CONTROL

WN19-00-000150 - Windows Server 2019 permissions for program file directories must conform to minimum requirements - Program Files (x86)

ACCESS CONTROL

WN19-00-000160 - Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements.

ACCESS CONTROL

WN19-00-000170 - Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SECURITY

ACCESS CONTROL

WN19-00-000170 - Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SOFTWARE

ACCESS CONTROL

WN19-00-000170 - Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained - HKEY_LOCAL_MACHINE\SYSTEM

ACCESS CONTROL

WN19-00-000180 - Windows Server 2019 non-administrative accounts or groups must only have print permissions on printer shares.

ACCESS CONTROL

WN19-00-000190 - Windows Server 2019 outdated or unused accounts must be removed or disabled.

IDENTIFICATION AND AUTHENTICATION

WN19-00-000200 - Windows Server 2019 accounts must require passwords.

IDENTIFICATION AND AUTHENTICATION

WN19-00-000210 - Windows Server 2019 passwords must be configured to expire.

IDENTIFICATION AND AUTHENTICATION

WN19-00-000220 - Windows Server 2019 system files must be monitored for unauthorized changes.

CONFIGURATION MANAGEMENT

WN19-00-000230 - Windows Server 2019 non-system-created file shares must limit access to groups that require it.

SYSTEM AND COMMUNICATIONS PROTECTION

WN19-00-000240 - Windows Server 2019 must have software certificate installation files removed.

CONFIGURATION MANAGEMENT

WN19-00-000250 - Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

SYSTEM AND COMMUNICATIONS PROTECTION

WN19-00-000260 - Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.

SYSTEM AND COMMUNICATIONS PROTECTION

WN19-00-000270 - Windows Server 2019 must have the roles and features required by the system documented.

CONFIGURATION MANAGEMENT

WN19-00-000280 - Windows Server 2019 must have a host-based firewall installed and enabled.

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT

WN19-00-000290 - Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Endpoint Security Solution (ESS) is used; 30 days, for any additional internal network scans not covered by ESS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP) - CNDSP.

SYSTEM AND INFORMATION INTEGRITY

WN19-00-000300 - Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours.

ACCESS CONTROL

WN19-00-000310 - Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours.

ACCESS CONTROL

WN19-00-000320 - Windows Server 2019 must not have the Fax Server role installed.

CONFIGURATION MANAGEMENT

WN19-00-000330 - Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.

CONFIGURATION MANAGEMENT

WN19-00-000340 - Windows Server 2019 must not have the Peer Name Resolution Protocol installed.

CONFIGURATION MANAGEMENT

WN19-00-000350 - Windows Server 2019 must not have Simple TCP/IP Services installed.

CONFIGURATION MANAGEMENT

WN19-00-000360 - Windows Server 2019 must not have the Telnet Client installed.

CONFIGURATION MANAGEMENT

WN19-00-000370 - Windows Server 2019 must not have the TFTP Client installed.

CONFIGURATION MANAGEMENT

WN19-00-000380 - Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed - SMB v1 protocol installed.

CONFIGURATION MANAGEMENT

WN19-00-000390 - Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.

CONFIGURATION MANAGEMENT

WN19-00-000400 - Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.

CONFIGURATION MANAGEMENT

WN19-00-000410 - Windows Server 2019 must not have Windows PowerShell 2.0 installed.

CONFIGURATION MANAGEMENT

WN19-00-000420 - Windows Server 2019 FTP servers must be configured to prevent anonymous logons.

CONFIGURATION MANAGEMENT

WN19-00-000430 - Windows Server 2019 FTP servers must be configured to prevent access to the system drive.

CONFIGURATION MANAGEMENT

WN19-00-000440 - The Windows Server 2019 time service must synchronize with an appropriate DoD time source.

AUDIT AND ACCOUNTABILITY

WN19-00-000450 - Windows Server 2019 must have orphaned security identifiers (SIDs) removed from user rights.

CONFIGURATION MANAGEMENT