| 2.2.14 (L1) Ensure 'Create a pagefile' is set to 'Administrators' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.21 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only) | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.34 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.42 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.47 (L1) Ensure 'Shut down the system' is set to 'Administrators' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.5.1 (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only) | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL |
| 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL |
| 9.1.3 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.4 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.3 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.4 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.4.4 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.5.8 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.7.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.9.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.9.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' | CIS Microsoft Windows Server 2022 v4.0.0 NG DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.19.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.33.6.4 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL |
| 18.9.35.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL |
| 18.10.18.1 (L2) Ensure 'Enable App Installer' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L2 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY |
| 18.10.42.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL |
| 18.10.43.6.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.43.10.5 (L1) Ensure 'Turn on script scanning' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.43.13.4 (L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.57.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.57.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.57.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.57.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.63.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L2 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.89.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.89.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.93.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.93.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 19.7.5.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 19.7.46.2.1 (L2) Ensure 'Prevent Codec Download' is set to 'Enabled' | CIS Microsoft Windows Server 2022 v4.0.0 L2 DC | Windows | CONFIGURATION MANAGEMENT |
