| 1.1.4 Ensure 'Minimum password age' is set to '1 or more day(s)' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.2.4 Ensure 'Act as part of the operating system' is set to 'No One' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.8 (L1) Ensure 'Allow log on locally' is set to 'Administrators' (MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.19 Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.31 Ensure 'Deny log on locally' to include 'Guests' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.40 Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.42 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.46 Ensure 'Load and unload device drivers' is set to 'Administrators' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.2.51 Ensure 'Modify an object label' is set to 'No One' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.3.7.1 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.7.6 Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.9.1 Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.10.12 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.11.2 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.11.8 Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.9 Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.11.11 Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | AUDIT AND ACCOUNTABILITY |
| 2.3.17.5 Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.17.6 Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.17.8 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 2.3.17.10 Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.3.3 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.5.5 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | CIS Microsoft Windows Server 2016 STIG v3.0.0 L1 MS | Windows | AUDIT AND ACCOUNTABILITY |
| 18.5.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.6.9.2 Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.6.21.1 Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.7.1 Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.7.7 Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.9.5.2 Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher | CIS Microsoft Windows Server 2022 STIG v2.0.0 NG MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.5.4 Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' | CIS Microsoft Windows Server 2022 STIG v2.0.0 NG MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.5.7 Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' | CIS Microsoft Windows Server 2022 STIG v2.0.0 NG MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.9.19.7 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 18.9.20.1.3 Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.9.20.1.12 Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.9.24.1 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.9.25.2 Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.9.25.6 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.9.31.2 Ensure 'Allow upload of User Activities' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.56.3.3.4 Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.56.3.10.2 Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | ACCESS CONTROL |
| 18.10.58.4 Ensure 'Allow search highlights' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.80.3 Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.91.2.1 Ensure 'Prevent users from modifying settings' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.92.4.1 Ensure 'Manage preview builds' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 19.7.8.1 Ensure 'Configure Windows spotlight on lock screen' is set to 'Disabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L1 MS | Windows | ACCESS CONTROL |
| 19.7.44.2.1 Ensure 'Prevent Codec Download' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG v3.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
