STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-3 — Security Function Isolation

CCI-001084

Definition

Isolate security functions from nonsecurity functions.

Parent Control

SC-3Security Function IsolationSystem and Communications Protection

Linked STIG Checks (176)

V-274033CAT IIAmazon Linux 2023 must have the policycoreutils package installed.Amazon Linux 2023 Security Technical Implementation Guide V-274153CAT IAmazon Linux 2023 must use a Linux Security Module configured to enforce limits on system services.Amazon Linux 2023 Security Technical Implementation Guide V-214290CAT IIThe Apache web server document directory must be in a separate partition from the Apache web servers system files.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214337CAT IIThe Apache web server document directory must be in a separate partition from the Apache web servers system files.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214382CAT IIThe Apache web server document directory must be in a separate partition from the Apache web servers system files.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222590CAT IIThe application must isolate security functions from non-security functions.Application Security and Development Security Technical Implementation Guide V-272633CAT IICylanceON-PREM must be configured with only one local Role to be used by the account of last resort in the event the authentication server is unavailable.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-251617CAT IICA IDMS must isolate the security manager to which users, groups, roles are assigned authorities/permissions to resources.CA IDMS Security Technical Implementation Guide V-219169CAT IThe Ubuntu operating system must be configured so that only users who need access to security functions are part of the sudo group.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238206CAT IThe Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260559CAT IUbuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270748CAT IUbuntu 24.04 LTS must ensure only users who need access to security functions are part of sudo group.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269430CAT IIAlmaLinux OS 9 must use a Linux Security Module configured to enforce limits on system services.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269431CAT IIAlmaLinux OS 9 must have the policycoreutils package installed.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233125CAT IIThe container platform runtime must isolate security functions from non-security functions.Container Platform Security Requirements Guide V-233546CAT IIPostgreSQL must isolate security functions from non-security functions.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261902CAT IIPostgreSQL must isolate security functions from nonsecurity functions.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206571CAT IIThe DBMS must isolate security functions from non-security functions.Database Security Requirements Guide V-270910CAT IIDragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.Dragos Platform 2.x Security Technical Implementation Guide V-224179CAT IIThe EDB Postgres Advanced Server must isolate security functions from non-security functions.EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213605CAT IIThe EDB Postgres Advanced Server must isolate security functions from non-security functions.EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259260CAT IIThe EDB Postgres Advanced Server must isolate security functions from nonsecurity functions.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-203656CAT IIThe operating system must isolate security functions from nonsecurity functions.General Purpose Operating System Security Requirements Guide V-215404CAT IIAIX must turn on enhanced Role-Based Access Control (RBAC) to isolate security functions from nonsecurity functions, to grant system privileges to other operating system admins, and prohibit user installation of system software without explicit privileged status.IBM AIX 7.x Security Technical Implementation Guide V-213707CAT IIDB2 must isolate security functions from non-security functions.IBM DB2 V10.5 LUW Security Technical Implementation Guide V-223514CAT IACF2 security data sets and/or databases must be properly protected.IBM z/OS ACF2 Security Technical Implementation Guide V-223684CAT IThe IBM RACF System REXX IRRPWREX security data set must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223685CAT IIBM RACF security data sets and/or databases must be properly protected.IBM z/OS RACF Security Technical Implementation Guide V-223903CAT ICA-TSS security data sets and/or databases must be properly protected.IBM z/OS TSS Security Technical Implementation Guide V-237923CAT IICA VM:Secure must have a security group for Security Administrators only.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-242434CAT IKubernetes Kubelet must enable kernel protection.Kubernetes Security Technical Implementation Guide V-213855CAT IISQL Server must isolate security functions from nonsecurity functions.MS SQL Server 2014 Instance Security Technical Implementation Guide V-213914CAT IIISQL Server must isolate security functions from non-security functions.MS SQL Server 2016 Database Security Technical Implementation Guide V-205521CAT IIThe Mainframe Product must isolate security functions from nonsecurity functions.Mainframe Product Security Requirements Guide V-255308CAT IIThe Azure SQL Database must isolate security functions from nonsecurity functions.Microsoft Azure SQL Database Security Technical Implementation Guide V-276290CAT IIIAzure SQL Managed Instance must isolate security functions from nonsecurity functions.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-218752CAT IIThe IIS 10.0 website document directory must be in a separate partition from the IIS 10.0 websites system files.Microsoft IIS 10.0 Site Security Technical Implementation Guide V-223077CAT IIThe 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows, must be turned on.Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223093CAT IIProtected Mode must be enforced (Internet zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223094CAT IIProtected Mode must be enforced (Restricted Sites zone).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223110CAT IIInternet Explorer Processes for Zone Elevation must be enforced (Reserved).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223111CAT IIInternet Explorer Processes for Zone Elevation must be enforced (Explorer).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-223112CAT IIInternet Explorer Processes for Zone Elevation must be enforced (iexplore).Microsoft Internet Explorer 11 Security Technical Implementation Guide V-271172CAT IISQL Server must isolate security functions from nonsecurity functions.Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-220799CAT IILocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.Microsoft Windows 10 Security Technical Implementation Guide V-220832CAT IIAdministrator accounts must not be enumerated during elevation.Microsoft Windows 10 Security Technical Implementation Guide V-220945CAT IIUser Account Control must, at minimum, prompt administrators for consent on the secure desktop.Microsoft Windows 10 Security Technical Implementation Guide V-220948CAT IIUser Account Control must be configured to detect application installations and prompt for elevation.Microsoft Windows 10 Security Technical Implementation Guide V-220949CAT IIUser Account Control must only elevate UIAccess applications that are installed in secure locations.Microsoft Windows 10 Security Technical Implementation Guide V-220951CAT IIUser Account Control must virtualize file and registry write failures to per-user locations.Microsoft Windows 10 Security Technical Implementation Guide V-253357CAT IILocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.Microsoft Windows 11 Security Technical Implementation Guide V-253391CAT IIAdministrator accounts must not be enumerated during elevation.Microsoft Windows 11 Security Technical Implementation Guide V-253469CAT IIUser Account Control must prompt administrators for consent on the secure desktop.Microsoft Windows 11 Security Technical Implementation Guide V-253472CAT IIUser Account Control must be configured to detect application installations and prompt for elevation.Microsoft Windows 11 Security Technical Implementation Guide V-253473CAT IIUser Account Control must only elevate UIAccess applications that are installed in secure locations.Microsoft Windows 11 Security Technical Implementation Guide V-253475CAT IIUser Account Control must virtualize file and registry write failures to per-user locations.Microsoft Windows 11 Security Technical Implementation Guide V-224935CAT IIAdministrator accounts must not be enumerated during elevation.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225008CAT IILocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225062CAT IIUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225063CAT IIUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225065CAT IIUser Account Control must be configured to detect application installations and prompt for elevation.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225066CAT IIUser Account Control must only elevate UIAccess applications that are installed in secure locations.Microsoft Windows Server 2016 Security Technical Implementation Guide V-225068CAT IIUser Account Control must virtualize file and registry write failures to per-user locations.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205714CAT IIWindows Server 2019 administrator accounts must not be enumerated during elevation.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205715CAT IIWindows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205716CAT IIWindows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205717CAT IIWindows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205718CAT IIWindows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205719CAT IIWindows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205720CAT IIWindows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254355CAT IIWindows Server 2022 administrator accounts must not be enumerated during elevation.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254429CAT IIWindows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254483CAT IIWindows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254484CAT IIWindows Server 2022 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254486CAT IIWindows Server 2022 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254487CAT IIWindows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254489CAT IIWindows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278102CAT IIWindows Server 2025 administrator accounts must not be enumerated during elevation.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278178CAT IIWindows Server 2025 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278233CAT IIWindows Server 2025 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278234CAT IIWindows Server 2025 User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278236CAT IIWindows Server 2025 User Account Control (UAC) must be configured to detect application installations and prompt for elevation.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278237CAT IIWindows Server 2025 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278239CAT IIWindows Server 2025 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260933CAT IIMKE must enable kernel protection.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221175CAT IIMongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-254225CAT IINutanix AOS must be configured to run SELinux Policies.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-254237CAT IINutanix AOS must be configured to use SELinux Enforcing mode.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279623CAT IINutanix OS must isolate security functions from nonsecurity functions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-219782CAT IIThe DBMS must isolate security functions from non-security functions by means of separate security domains.Oracle Database 11.2g Security Technical Implementation Guide V-238445CAT IIAdministrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.Oracle Database 11.2g Security Technical Implementation Guide V-220298CAT IIThe DBMS must isolate security functions from nonsecurity functions by means of separate security domains.Oracle Database 12c Security Technical Implementation Guide V-237710CAT IIAdministrators must utilize a separate, distinct administrative account when performing administrative activities, accessing database security functions, or accessing security-relevant information.Oracle Database 12c Security Technical Implementation Guide V-270576CAT IIOracle Database must isolate security functions from nonsecurity functions by means of separate security domains.Oracle Database 19c Security Technical Implementation Guide V-221496CAT IIOHS must have the DocumentRoot directive set to a separate partition from the OHS system files.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-221497CAT IIOHS must have the Directory directive accompanying the DocumentRoot directive set to a separate partition from the OHS system files.Oracle HTTP Server 12.1.3 Security Technical Implementation Guide V-248548CAT IIOL 8 must use a Linux Security Module configured to enforce limits on system services.Oracle Linux 8 Security Technical Implementation Guide V-248549CAT IIIOL 8 must have the "policycoreutils" package installed.Oracle Linux 8 Security Technical Implementation Guide V-248590CAT IIOL 8 must clear the page allocator to prevent use-after-free attacks.Oracle Linux 8 Security Technical Implementation Guide V-248591CAT IIOL 8 must disable virtual syscalls.Oracle Linux 8 Security Technical Implementation Guide V-248592CAT IIOL 8 must clear memory when it is freed to prevent use-after-free attacks.Oracle Linux 8 Security Technical Implementation Guide V-271452CAT IOL 9 must use a Linux Security Module configured to enforce limits on system services.Oracle Linux 9 Security Technical Implementation Guide V-271467CAT IIOL 9 must have policycoreutils package installed.Oracle Linux 9 Security Technical Implementation Guide V-271734CAT IIOL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.Oracle Linux 9 Security Technical Implementation Guide V-271737CAT IIOL 9 must disable virtual system calls.Oracle Linux 9 Security Technical Implementation Guide V-271738CAT IIOL 9 must clear the page allocator to prevent use-after-free attacks.Oracle Linux 9 Security Technical Implementation Guide V-235151CAT IIThe MySQL Database Server 8.0 must isolate security functions from non-security functions.Oracle MySQL 8.0 Security Technical Implementation Guide V-253524CAT IIUsers requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-214081CAT IIPostgreSQL must isolate security functions from non-security functions.PostgreSQL 9.x Security Technical Implementation Guide V-254569CAT IIRancher RKE2 runtime must isolate security functions from nonsecurity functions.Rancher Government Solutions RKE2 Security Technical Implementation Guide V-280966CAT IIRHEL 10 must have the "policycoreutils" package installed.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281251CAT IIRHEL 10 must use a Linux Security Module configured to enforce limits on system services.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281301CAT IIRHEL 10 must disable virtual system calls.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281302CAT IIRHEL 10 must clear the page allocator to prevent use-after-free attacks.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281303CAT IIRHEL 10 must clear memory when it is freed to prevent use-after-free attacks.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230240CAT IIRHEL 8 must use a Linux Security Module configured to enforce limits on system services.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230241CAT IIIRHEL 8 must have policycoreutils package installed.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230277CAT IIRHEL 8 must clear the page allocator to prevent use-after-free attacks.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230278CAT IIRHEL 8 must disable virtual syscalls.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230279CAT IIRHEL 8 must clear memory when it is freed to prevent use-after-free attacks.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257792CAT IIRHEL 9 must disable virtual system calls.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257793CAT IIRHEL 9 must clear the page allocator to prevent use-after-free attacks.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257794CAT IIRHEL 9 must clear memory when it is freed to prevent use-after-free attacks.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258078CAT IRHEL 9 must use a Linux Security Module configured to enforce limits on system services.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258081CAT IIRHEL 9 must have policycoreutils package installed.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257547CAT IIOpenShift runtime must isolate security functions from nonsecurity functions.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257547CAT IIOpenShift runtime must isolate security functions from nonsecurity functions.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275648CAT IUbuntu OS must ensure only users who need access to security functions are part of sudo group.Riverbed NetIM OS Security Technical Implementation Guide V-206739CAT IIThe SDN controller must be configured to isolate security functions from non-security functions.SDN Controller Security Requirements Guide V-261368CAT IIISLEM 5 must have policycoreutils package installed.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261369CAT ISLEM 5 must use a Linux Security Module configured to enforce limits on system services.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-240988CAT IIThe Tanium Server must be configured with a connector to sync to Microsoft Active Directory for account management functions, must isolate security functions from non-security functions, and must terminate shared/group account credentials when members leave the group.Tanium 7.0 Security Technical Implementation Guide V-234048CAT IIThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.Tanium 7.3 Security Technical Implementation Guide V-254904CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254928CAT IIThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253815CAT IIThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.Tanium 7.x Security Technical Implementation Guide V-253845CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-241142CAT IITrend Deep Security must isolate security functions from non-security functions.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-252920CAT IITOSS must use a Linux Security Module configured to enforce limits on system services.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-253084CAT IIITOSS must have policycoreutils package installed.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282510CAT IITOSS 5 must use a Linux Security Module configured to enforce limits on system services.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240301CAT IIThe vRA PostgreSQL must not allow access to unauthorized accounts.VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239800CAT IIThe vROps PostgreSQL DB must isolate security functions from non-security functions.VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-240818CAT IItc Server HORIZON document directory must be in a separate partition from the web servers system files.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240819CAT IItc Server VCO document directory must be in a separate partition from the web servers system files.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240820CAT IItc Server VCAC document directory must be in a separate partition from the web servers system files.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-241673CAT IItc Server UI document directory must be in a separate partition from the web servers system files.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241674CAT IItc Server CaSa document directory must be in a separate partition from the web servers system files.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241675CAT IItc Server API document directory must be in a separate partition from the web servers system files.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256605CAT IIVMware Postgres must not allow schema access to unauthorized accounts.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-256335CAT IIThe vCenter Server users must have the correct roles assigned.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258921CAT IIThe vCenter Server user roles must be verified.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207402CAT IIThe VMM must isolate security functions from non-security functions.Virtual Machine Manager Security Requirements Guide V-206408CAT IIThe web server document directory must be in a separate partition from the web servers system files.Web Server Security Requirements Guide V-73487CAT IIAdministrator accounts must not be enumerated during elevation.Windows Server 2016 Security Technical Implementation Guide V-73487CAT IIAdministrator accounts must not be enumerated during elevation.Windows Server 2016 Security Technical Implementation Guide V-73495CAT IILocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.Windows Server 2016 Security Technical Implementation Guide V-73495CAT IILocal administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.Windows Server 2016 Security Technical Implementation Guide V-73709CAT IIUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Windows Server 2016 Security Technical Implementation Guide V-73709CAT IIUIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Windows Server 2016 Security Technical Implementation Guide V-73711CAT IIUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.Windows Server 2016 Security Technical Implementation Guide V-73711CAT IIUser Account Control must, at a minimum, prompt administrators for consent on the secure desktop.Windows Server 2016 Security Technical Implementation Guide V-73715CAT IIUser Account Control must be configured to detect application installations and prompt for elevation.Windows Server 2016 Security Technical Implementation Guide V-73715CAT IIUser Account Control must be configured to detect application installations and prompt for elevation.Windows Server 2016 Security Technical Implementation Guide V-73717CAT IIUser Account Control must only elevate UIAccess applications that are installed in secure locations.Windows Server 2016 Security Technical Implementation Guide V-73717CAT IIUser Account Control must only elevate UIAccess applications that are installed in secure locations.Windows Server 2016 Security Technical Implementation Guide V-73721CAT IIUser Account Control must virtualize file and registry write failures to per-user locations.Windows Server 2016 Security Technical Implementation Guide V-73721CAT IIUser Account Control must virtualize file and registry write failures to per-user locations.Windows Server 2016 Security Technical Implementation Guide V-93517CAT IIWindows Server 2019 administrator accounts must not be enumerated during elevation.Windows Server 2019 Security Technical Implementation Guide V-93519CAT IIWindows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain-joined member servers.Windows Server 2019 Security Technical Implementation Guide V-93521CAT IIWindows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop.Windows Server 2019 Security Technical Implementation Guide V-93523CAT IIWindows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop.Windows Server 2019 Security Technical Implementation Guide V-93525CAT IIWindows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation.Windows Server 2019 Security Technical Implementation Guide V-93527CAT IIWindows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations.Windows Server 2019 Security Technical Implementation Guide V-93529CAT IIWindows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations.Windows Server 2019 Security Technical Implementation Guide