| 2.2.17 (L1) Ensure 'Create permanent shared objects' is set to 'No One' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.24 (L1) Ensure 'Deny log on as a service' to include 'Guests' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.30 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.36 (L1) Ensure 'Lock pages in memory' is set to 'No One' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.44 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.45 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.46 (L1) Ensure 'Restore files and directories' is set to 'Administrators' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.3.1.2 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.1.4 (L1) Configure 'Accounts: Rename guest account' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.5.6 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.7.5 (L1) Configure 'Interactive logon: Message title for users attempting to log on' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.7.7 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.10.12 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.8 (L1) Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.11.9 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.11 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.12 (L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.4.5 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.6.4.1 (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.6.7.1 (L1) Ensure 'Audit client does not support encryption' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.6.7.3 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.6.7.6 (L1) Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.6.8.1 (L1) Ensure 'Audit insecure guest logon' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.6.8.4 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.7.8 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.7.10 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.7.11 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.7.12 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 18.9.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.9.19.4 (L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.9.33.6.3 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 18.9.39.1 (L1) Ensure 'Configure validation of ROCA-vulnerable WHfB keys during authentication' is set to 'Enabled: Audit' or higher (DC only) | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.9.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.81.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | ACCESS CONTROL |
| 18.10.89.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.93.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 19.7.8.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
