| 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.24 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.25 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.25 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.25 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Windows Server 2012 R2 MS L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Windows Server 2012 MS L1 v3.0.0 | Windows | ACCESS CONTROL |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2022 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.26 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.27 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2025 v1.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.27 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2016 v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.27 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2019 v4.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.27 (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2022 v4.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.30 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.30 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.31 Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.34 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.34 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.34 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 L1 Domain Controller | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.35 Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.35 Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 L1 Member Server | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.1.3 (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.2 (L1) Ensure 'Audit Logoff' is set to include 'Success' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 18.5.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.14.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.10.24.3 (L1) Ensure 'Default Protections for Internet Explorer' is set to 'Enabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.24.6 (L1) Ensure 'System ASLR' is set to 'Enabled: Application Opt-In' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.10.51.2 (L1) Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL |
| 18.10.57.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.89.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.89.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.93.2.3 (L1) Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.93.2.3 (L1) Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.93.2.3 (L1) Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker | Windows | CONFIGURATION MANAGEMENT |
| WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM. | DISA Microsoft Windows 2012 Server DNS STIG v2r7 | Windows | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| WDNS-SC-000009 - The Windows 2012 DNS Server must enforce approved authorizations between DNS servers through the use of digital signatures in the RRSet. | DISA Microsoft Windows 2012 Server DNS STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-UR-000021-MS - The Deny log on through Remote Desktop Services user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems, and from unauthenticated access on all systems. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL |
| WN19-DC-000030 - Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | DISA Microsoft Windows Server 2019 STIG v3r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN22-DC-000030 - Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | DISA Microsoft Windows Server 2022 STIG v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN22-DC-000120 - Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | DISA Microsoft Windows Server 2022 STIG v2r4 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
