| 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 2.2.15 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.17 (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.20 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.34 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.35 (L1) Ensure 'Lock pages in memory' is set to 'No One' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.36 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only) | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.39 (L1) Ensure 'Modify an object label' is set to 'No One' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.47 (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.5.5 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.9 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' is configured | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.5 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.5.9 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 18.5.12 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.6.4.1 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.6.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.6.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.20.1.5 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.20.1.8 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.20.1.12 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.27.2 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 18.9.32.6.1 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 18.9.46.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.57.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.81.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.89.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 19.1.3.2 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 19.7.40.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| Act as part of the operating system | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Always install with elevated privileges | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Audit Authentication Policy Change | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
