| 2.2.9 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only) | CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.2.11 Ensure 'Back up files and directories' is set to 'Administrators' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.16 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.5.5 Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.6.2 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.7 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.3.10.12 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.17.8 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.4.3 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 18.5.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 18.5.3 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | CIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | CIS Microsoft Windows Server 2016 v3.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.4.2 Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.9.5.1 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.11.1.7 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' | CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0 | Windows | CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.11.3.7 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' | CIS Windows 7 Workstation Bitlocker v3.2.0 | Windows | CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.11.3.7 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' | CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0 | Windows | CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.33.6.3 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 18.9.39.2 (L2) Ensure 'Turn off location' is set to 'Enabled' | CIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker | Windows | CONFIGURATION MANAGEMENT |
| 18.10.10.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' | CIS Microsoft Windows 11 Stand-alone v4.0.0 BL | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.10.10.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.10.10.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' | CIS Microsoft Windows 10 Stand-alone v4.0.0 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 11 Stand-alone v4.0.0 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 11 Enterprise v4.0.0 BitLocker | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.10.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.80.1 Ensure 'Allow user control over installs' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 18.10.80.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.88.1.2 Ensure 'Allow unencrypted traffic' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.88.1.3 Ensure 'Disallow Digest authentication' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.88.2.1 Ensure 'Allow Basic authentication' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.88.2.3 Ensure 'Allow unencrypted traffic' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.11 Ensure 'Active Directory user accounts are configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT)' (STIG DC only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 20.14 Ensure 'Automated mechanisms must be employed to determine the state of system components' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | RISK ASSESSMENT |
| 20.26 Ensure 'Emergency accounts must be automatically removed or disabled after the crisis is resolved or within 72 hours' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.29 Ensure 'FTP servers are configured to prevent access to the system drive' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.33 Ensure 'Local volumes must use a format that supports NTFS attributes' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 20.36 Ensure 'Members of the Backup Operators group have separate accounts for backup duties and normal operational tasks' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.42 Ensure 'Operating System is maintained at a supported servicing level' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND SERVICES ACQUISITION |
| 20.63 Ensure 'Temporary user accounts must be automatically removed or disabled after 72 hours' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.66 Ensure 'The system uses a host-based intrusion detection or prevention system' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
