| 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.2 Ensure 'Maximum send size: Organization level' is set to '25' | CIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.5 Ensure 'Maximum receive size: Connector level' is set to '25' | CIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.11 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.30 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 2.2.32 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.42 (L1) Ensure 'Profile single process' is set to 'Administrators' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.44 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.7 (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.7 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.10 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.4 Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 7.13 Ensure AES 256/256 Cipher Suite is enabled | CIS IIS 8.0 v1.5.1 Level 1 | Windows | |
| 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.3.4 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.3.7 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.22.1.1 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.22.1.11 (L2) Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.8.34.6.2 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.9.25.2 (L1) Ensure 'Default Action and Mitigation Settings' is set to 'Enabled' (plus subsettings) | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.25.4 (L1) Ensure 'Default Protections for Popular Software' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.31.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.47.15 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.65.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.65.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.65.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.66.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.102.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.108.1.2 (L1) Ensure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.10.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 BL | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.10.10.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 10 Stand-alone v4.0.0 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 19.7.43.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
