| 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only) | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 2.2.6 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.7 (L1) Ensure 'Allow log on locally' is set to 'Administrators' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.19 (L1) Ensure 'Debug programs' is set to 'Administrators' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 2.2.39 (L1) Ensure 'Modify an object label' is set to 'No One' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.2.44 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.5.4 (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled' (DC only) | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.4 (L1) Configure 'Interactive logon: Message title for users attempting to log on' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.9.2 Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.9.3 Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 Domain Controller | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths' is configured | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | AUDIT AND ACCOUNTABILITY |
| 18.4.6 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.5.11.3 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.8.7.2 (L1) Ensure 'Allow remote access to the Plug and Play interface' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | MEDIA PROTECTION |
| 18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | MEDIA PROTECTION |
| 18.9.65.3.2.1 (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.65.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.65.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.66.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.90.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.100.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 18.9.102.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.3.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.102.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.108.1.1 (L1) Ensure 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.108.1.2 (L1) Ensure 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' is set to 'Disabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
| 19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' | CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1 | Windows | ACCESS CONTROL |
