| 2.3.7.7 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 5.2 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.22.1.11 (L2) Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.90.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| Account lockout duration | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Allow binary and script behaviors | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Allow cut, copy or paste operations from the clipboard via script - Restricted Sites Zone | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Allow indexing of encrypted files | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Allow unencrypted traffic - Client - AllowUnencryptedTraffic | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Allow updates to status bar via script - Internet Zone | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Allow user control over installs | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Allow VBScript to run in Internet Explorer - Internet Zone | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Always install with elevated privileges | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Audit Directory Service Access | MSCT Windows Server 1903 DC v1.19.9 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Other System Events | MSCT Windows Server 1903 DC v1.19.9 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Security State Change | MSCT Windows Server 1903 DC v1.19.9 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Sensitive Privilege Use | MSCT Windows Server 1903 DC v1.19.9 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit System Integrity | MSCT Windows Server 1903 DC v1.19.9 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | MSCT Windows Server 1903 DC v1.19.9 | Windows | AUDIT AND ACCOUNTABILITY |
| Check for server certificate revocation | MSCT Windows Server 1903 DC v1.19.9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Configure Attack Surface Reduction rules - d4f940ab-401b-4efc-aadc-ad5f3c50688a | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Configure detection for potentially unwanted applications | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Configure SMB v1 server | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Create a pagefile | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Create a token object | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Create global objects | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Disallow Autoplay for non-volume devices | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Domain member: Disable machine account password changes | MSCT Windows Server 1903 DC v1.19.9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Domain member: Require strong (Windows 2000 or later) session key | MSCT Windows Server 1903 DC v1.19.9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Don't run antimalware programs against ActiveX controls - Internet Zone | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enable insecure guest logons | MSCT Windows Server 1903 DC v1.19.9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Enable Structured Exception Handling Overwrite Protection (SEHOP) | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Enforce password history | MSCT Windows Server 1903 DC v1.19.9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Initialize and script ActiveX controls not marked as safe - Restricted Sites Zone | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Initialize and script ActiveX controls not marked as safe - Trusted Sites Zone | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_DISABLE_MK_PROTOCOL - iexplore.exe | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Internet Explorer Processes - FEATURE_MIME_SNIFFING - (Reserved) | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_MIME_SNIFFING - explorer.exe | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Internet Explorer Processes - FEATURE_RESTRICT_ACTIVEXINSTALL - (Reserved) | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Load and unload device drivers | MSCT Windows Server 1903 DC v1.19.9 | Windows | ACCESS CONTROL |
| Microsoft network client: Send unencrypted password to third-party SMB servers - EnablePlainTextPassword | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Prevent enabling lock screen slide show | MSCT Windows Server 1903 DC v1.19.9 | Windows | CONFIGURATION MANAGEMENT |
| Prevent ignoring certificate errors | MSCT Windows Server 1903 DC v1.19.9 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
