| 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.10 (L1) Ensure 'Back up files and directories' is set to 'Administrators' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.17 (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only) | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.23 (L1) Ensure 'Deny log on locally' to include 'Guests' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.32 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.45 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.1.5 (L1) Configure 'Accounts: Rename guest account' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.2.6 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.3.4 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.3.5 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.3.8 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | CIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.22.1.4 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.25.2 (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.25.7 (L1) Ensure 'System DEP' is set to 'Enabled: Application Opt-Out' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.27.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.9.27.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.9.31.2 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.65.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 18.9.65.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.67.2 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.102.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.102.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
