| 2.2.7 (L1) Ensure 'Allow log on locally' is set to 'Administrators' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.8 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.33 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.35 (L1) Ensure 'Lock pages in memory' is set to 'No One' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.10.10 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.10.12 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 5.1 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.6.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.20.1.2 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.46.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.57.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | CIS Windows Server 2012 DC L2 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Account lockout duration | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Account lockout threshold | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Act as part of the operating system | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Audit Other System Events | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit Process Creation | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| Create permanent shared objects | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Default Protections for Popular Software - 7zFM | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Default Protections for Popular Software - Firefox | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Default Protections for Popular Software - iTunes | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Default Protections for Popular Software - Photoshop | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Default Protections for Popular Software - QuickTimePlayer | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Devices: Allowed to format and eject removable media | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | MEDIA PROTECTION |
| Domain member: Digitally encrypt or sign secure channel data (always) | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Enable computer and user accounts to be trusted for delegation | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Generate security audits | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Impersonate a client after authentication | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Interactive logon: Prompt user to change password before expiration | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Interactive logon: Smart card removal behavior | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Minimum password age | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Network access: Allow anonymous SID/Name translation | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Network security: Allow Local System to use computer identity for NTLM | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Network security: Allow LocalSystem NULL session fallback | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Network security: Force logoff when logon hours expire | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| Prevent enabling lock screen slide show | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| System ASLR | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| System DEP | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| User Account Control: Run all administrators in Admin Approval Mode | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | ACCESS CONTROL |
| User Account Control: Virtualize file and registry write failures to per-user locations | MSCT Windows Server 2012 R2 DC v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
