| 1.3.1 Ensure 'Enforce user logon restrictions' is set to 'Enabled' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 3.4 Ensure IIS HTTP detailed errors are hidden from displaying remotely - Default | CIS IIS 7 L1 v1.8.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.11.2.18 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' | CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 18.9.65.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | CIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.3.1 | Windows | ACCESS CONTROL |
| 18.10.9.3.13 (L1) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.1.10 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 BL | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.1.13 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' | CIS Microsoft Windows 11 Enterprise v4.0.0 BitLocker | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.1.13 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.3.10 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL NG | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.3.10 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' | CIS Microsoft Windows 11 Stand-alone v4.0.0 BL | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.3.13 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' | CIS Microsoft Windows 10 Enterprise v4.0.0 BL | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.57.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | CIS Windows Server 2012 R2 DC L2 v3.0.0 | Windows | ACCESS CONTROL |
| 18.10.57.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | CIS Windows Server 2012 R2 MS L2 v3.0.0 | Windows | ACCESS CONTROL |
| 18.10.57.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | CIS Microsoft Windows 10 Enterprise v4.0.0 L2 NG | Windows | ACCESS CONTROL |
| 18.10.57.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L2 | Windows | ACCESS CONTROL |
| AADC-CL-001280 - Adobe Acrobat Pro DC Classic Default Handler changes must be disabled. | DISA STIG Adobe Acrobat Pro DC Classic Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| ESXI-70-000012 - The ESXi host Secure Shell (SSH) daemon must ignore '.rhosts' files - .rhosts files. | DISA STIG VMware vSphere 7.0 ESXi OS v1r4 | Unix | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000020 - The ESXi host Secure Shell (SSH) daemon must perform strict mode checking of home directory configuration files. | DISA STIG VMware vSphere 7.0 ESXi OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| ESXI-70-000027 - The ESXi host Secure Shell (SSH) daemon must set a timeout interval on idle sessions. | DISA STIG VMware vSphere 7.0 ESXi OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| ESXI-70-000047 - The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified. | DISA STIG VMware vSphere 7.0 ESXi OS v1r4 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000056 - The ESXi host must configure the firewall to restrict access to services running on the host. | DISA STIG VMware vSphere 7.0 ESXi OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| ESXI-70-000084 - The ESXi host must enable audit logging. | DISA STIG VMware vSphere 7.0 ESXi OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| MS.SHAREPOINT.1.3v1 - External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. | CISA SCuBA Microsoft 365 SharePoint Online OneDrive v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| PHTN-30-000047 - The Photon operating system audit files and directories must have correct permissions. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | AUDIT AND ACCOUNTABILITY |
| PHTN-30-000050 - The Photon operating system must enforce password complexity by requiring that at least one special character be used. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | IDENTIFICATION AND AUTHENTICATION |
| PHTN-30-000051 - The Photon operating system package files must not be modified. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | AUDIT AND ACCOUNTABILITY |
| PHTN-30-000054 - The Photon operating system must audit the execution of privileged functions. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| PHTN-30-000065 - The Photon operating system must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| PHTN-30-000070 - The Photon operating system auditd service must generate audit records for all account creations, modifications, disabling, and termination events. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | AUDIT AND ACCOUNTABILITY |
| PHTN-30-000078 - The Photon operating system must configure sshd to disallow Generic Security Service Application Program Interface (GSSAPI) authentication. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-30-000081 - The Photon operating system must configure sshd to perform strict mode checking of home directory configuration files. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-30-000094 - The Photon operating system must be configured so that all files have a valid owner and group owner. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-30-000099 - The Photon operating system must not respond to IPv4 Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-30-000108 - The Photon operating system must be configured to protect the Secure Shell (SSH) public host key from unauthorized modification. | DISA STIG VMware vSphere 7.0 Photon OS v1r4 | Unix | CONFIGURATION MANAGEMENT |
| VMCH-70-000006 - Independent, nonpersistent disks must not be used on the virtual machine (VM). | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000007 - Host Guest File System (HGFS) file transfers must be disabled on the virtual machine (VM). | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000011 - Unauthorized serial devices must be disconnected on the virtual machine (VM). | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000017 - The virtual machine (VM) must not be able to obtain host information from the hypervisor. | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000020 - System administrators must use templates to deploy virtual machines (VMs) whenever possible. | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000021 - Use of the virtual machine (VM) console must be minimized. | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000022 - The virtual machine (VM) guest operating system must be locked when the last console connection is closed. | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VMCH-70-000028 - DirectPath I/O must be disabled on the virtual machine (VM) when not required. | DISA STIG VMware vSphere 7.0 Virtual Machine v1r4 | VMware | CONFIGURATION MANAGEMENT |
| WBLC-05-000176 - Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data - JAVA_OPTIONS | Oracle WebLogic Server 12c Linux v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000177 - Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes - JAVA_OPTIONS | Oracle WebLogic Server 12c Linux v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-05-000177 - Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes - PRE_CLASSPATH | Oracle WebLogic Server 12c Linux v2r2 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| WBLC-08-000214 - Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data - JAVA_OPTIONS | Oracle WebLogic Server 12c Linux v2r2 | Unix | CONFIGURATION MANAGEMENT |
| WBLC-08-000214 - Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data - JAVA_OPTIONS | Oracle WebLogic Server 12c Linux v2r2 Middleware | Unix | CONFIGURATION MANAGEMENT |
