| 1.2.3 Ensure 'Account lockout threshold' is set to '3 or fewer invalid logon attempt(s), but not 0' (STIG only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.2.7 Ensure 'Allow log on locally' is set to 'Administrators, ENTERPRISE DOMAIN CONTROLLERS' (DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.14 Ensure 'Create a token object' is set to 'No One' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.16 Ensure 'Create permanent shared objects' is set to 'No One' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.40 Ensure 'Force shutdown from a remote system' is set to 'Administrators' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.41 Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.45 Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.58 Ensure 'Restore files and directories' is set to 'Administrators' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.3.2.1 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.6.1 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.7.5 Configure 'Interactive logon: Message title for users attempting to log on' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.7 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.11.10 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.15.2 Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.17.1 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.17.2 Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.17.3 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.17.6 Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.17.7 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.17.9 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.1 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.2 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.7 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.4 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.8 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.5.2 Ensure 'Audit Group Membership' is set to include 'Success' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.3 Ensure 'Audit Logoff' is set to include 'Success' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 17.5.4 Ensure 'Audit Logon' is set to 'Success and Failure' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 17.7.2 Ensure 'Audit Audit Policy Change' is set to include 'Success and Failure' (STIG only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 17.9.1 Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 17.9.4 Ensure 'Audit Security System Extension' is set to include 'Success' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 18.5.4 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.6.8.1 Ensure 'Enable insecure guest logons' is set to 'Disabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 18.9.5.1 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.5.5 Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.19.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.20.1.1 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.7.2 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | MEDIA PROTECTION |
| 18.10.80.2 Ensure 'Always install with elevated privileges' is set to 'Disabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 19.7.5.1 Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.1 Ensure 'Accounts require passwords' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | IDENTIFICATION AND AUTHENTICATION |
| 20.25 Ensure 'Domain-joined systems have a Trusted Platform Module (TPM) enabled and ready for use' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.27 Ensure 'Event Viewer must be protected from unauthorized modification and deletion' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 20.33 Ensure 'Local volumes must use a format that supports NTFS attributes' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.38 Ensure 'Non-system-created file shares must limit access to groups that require it' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.39 Ensure 'Off-load of audit records of interconnected systems in real time and off-load standalone systems weekly' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 20.67 Ensure 'The system uses an anti-virus program' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
