STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (8) — Identification and Authentication (Organizational Users)

CCI-001941

Definition

Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.

Parent Control

IA-2 (8)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (152)

V-255598CAT IIThe A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.A10 Networks ADC NDM Security Technical Implementation Guide V-243471CAT IILocal administrator accounts on domain systems must not share the same password.Active Directory Domain Security Technical Implementation Guide V-279056CAT IIWeb services using Simple Object Access Protocol (SOAP) to access sensitive data must be secured with WS-Security.Adobe ColdFusion Security Technical Implementation Guide V-274038CAT IAmazon Linux 2023 must have SSH installed.Amazon Linux 2023 Security Technical Implementation Guide V-274039CAT IAmazon Linux 2023 must implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.Amazon Linux 2023 Security Technical Implementation Guide V-268159CAT INixOS must protect the confidentiality and integrity of transmitted information.Anduril NixOS Security Technical Implementation Guide V-268477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268542CAT IIThe macOS system must enforce smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268543CAT IIThe macOS system must allow smart card authentication.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268544CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268545CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268546CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277084CAT IThe macOS system must disable password authentication for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277150CAT IIThe macOS system must enforce smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277151CAT IIThe macOS system must allow smart card authentication.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277152CAT IIThe macOS system must enforce multifactor authentication for login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277153CAT IIThe macOS system must enforce multifactor authentication for the su command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277154CAT IIThe macOS system must enforce multifactor authentication for privilege escalation through the sudo command.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-204949CAT IIThe ALG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Application Layer Gateway Security Requirements Guide V-222530CAT IIThe application must implement replay-resistant authentication mechanisms for network access to privileged accounts.Application Security and Development Security Technical Implementation Guide V-222531CAT IIThe application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Application Security and Development Security Technical Implementation Guide V-204749CAT IIThe application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.Application Server Security Requirements Guide V-237327CAT IIThe ArcGIS Server must implement replay-resistant authentication mechanisms for network access to privileged accounts and non-privileged accounts.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272629CAT ICylanceON-PREM must be configured to use TLS 1.2 or higher.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-255960CAT IThe Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Arista MLS EOS 4.2x NDM Security Technical Implementation Guide V-255960CAT IThe Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-219308CAT IThe Ubuntu operating system must enforce SSHv2 for network access to all accounts.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-206465CAT IIThe Central Log Server must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.Central Log Server Security Requirements Guide V-271936CAT IIThe Cisco ACI must implement replay-resistant authentication mechanisms for network access to privileged accounts.Cisco ACI NDM Security Technical Implementation Guide V-239913CAT IIThe Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.Cisco ASA NDM Security Technical Implementation Guide V-215699CAT IThe Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS Router NDM Security Technical Implementation Guide V-220607CAT IThe Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS Switch NDM Security Technical Implementation Guide V-215844CAT IThe Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS XE Router NDM Security Technical Implementation Guide V-220555CAT IThe Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.Cisco IOS XE Switch NDM Security Technical Implementation Guide V-216531CAT IIThe Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.Cisco IOS XR Router NDM Security Technical Implementation Guide V-242642CAT IIFor accounts using password authentication, the Cisco ISE must implement replay-resistant authentication mechanisms for network access to privileged accounts.Cisco ISE NDM Security Technical Implementation Guide V-220488CAT IIThe Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.Cisco NX OS Switch NDM Security Technical Implementation Guide V-269375CAT IIAlmaLinux OS 9 must use the CAC smart card driver.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233084CAT IIThe container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.Container Platform Security Requirements Guide V-233085CAT IIThe container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Container Platform Security Requirements Guide V-255551CAT IIThe DBN-6300 must implement replay-resistant authentication mechanisms for network access to privileged accounts.DBN-6300 NDM Security Technical Implementation Guide V-269780CAT IIThe Dell OS10 Switch must implement replay-resistant authentication mechanisms for network access to privileged accounts.Dell OS10 Switch NDM Security Technical Implementation Guide V-235777CAT IFIPS mode must be enabled on all Docker Engine - Enterprise nodes.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-270952CAT IIDragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.Dragos Platform 2.x Security Technical Implementation Guide V-259966CAT IIThe Enterprise Voice, Video, and Messaging Endpoint must be configured to implement replay-resistant authentication mechanisms for network access.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260011CAT IIThe Enterprise Voice, Video, and Messaging Session Manager must be configured to implement attack-resistant mechanisms for Voice Video Endpoint registration.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-278390CAT IINGINX must implement replay-resistant authentication mechanisms for network access.F5 NGINX Security Technical Implementation Guide V-278405CAT IINGINX must be configured to use FIPS-approved algorithms to protect the confidentiality and integrity of transmitted information.F5 NGINX Security Technical Implementation Guide V-234200CAT IIThe FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-203645CAT IIThe operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts.General Purpose Operating System Security Requirements Guide V-203646CAT IIThe operating system must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.General Purpose Operating System Security Requirements Guide V-237818CAT IDoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255291CAT IThe HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255295CAT IThe HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283425CAT IThe HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266930CAT IIAOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-268260CAT IIThe HYCU virtual appliance must implement replay-resistant authentication mechanisms for network access to privileged accounts.HYCU Protege Security Technical Implementation Guide V-215179CAT IAIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.IBM AIX 7.x Security Technical Implementation Guide V-255738CAT IIWhen connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-255866CAT IIThe WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255867CAT IIThe WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-258601CAT IIThe ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.Ivanti Connect Secure NDM Security Technical Implementation Guide V-251026CAT IIThe Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-253903CAT IIThe Juniper EX switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-217322CAT IIThe Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.Juniper Router NDM Security Technical Implementation Guide V-66513CAT IIThe Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.Juniper SRX SG NDM Security Technical Implementation Guide V-223216CAT IIThe Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.Juniper SRX Services Gateway NDM Security Technical Implementation Guide V-214696CAT IIThe Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-235774CAT IIThe built-in DNS client must be disabled.Microsoft Edge Security Technical Implementation Guide V-224965CAT IIKerberos user logon restrictions must be enforced.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224966CAT IIThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224967CAT IIThe Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224968CAT IIThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224969CAT IIThe computer clock synchronization tolerance must be limited to 5 minutes or less.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205703CAT IIWindows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205704CAT IIWindows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205705CAT IIWindows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205706CAT IIWindows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254386CAT IIWindows Server 2022 Kerberos user logon restrictions must be enforced.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254387CAT IIWindows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254388CAT IIWindows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254389CAT IIWindows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254390CAT IIWindows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278133CAT IIWindows Server 2025 Kerberos user logon restrictions must be enforced.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278134CAT IIWindows Server 2025 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278135CAT IIWindows Server 2025 Kerberos user ticket lifetime must be limited to 10 hours or less.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278136CAT IIWindows Server 2025 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278137CAT IIWindows Server 2025 computer clock synchronization tolerance must be limited to five minutes or less.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-246948CAT IIONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202055CAT IIThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.Network Device Management Security Requirements Guide V-243150CAT IIThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.Network WLAN AP-IG Management Security Technical Implementation Guide V-243168CAT IIThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.Network WLAN AP-NIPR Management Security Technical Implementation Guide V-243186CAT IIThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.Network WLAN Bridge Management Security Technical Implementation Guide V-243204CAT IIThe network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.Network WLAN Controller Management Security Technical Implementation Guide V-254205CAT IINutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279628CAT IINutanix OS must install and use SSH for remote access.Nutanix Acropolis GPOS Security Technical Implementation Guide V-271610CAT IIOL 9 must use the CAC smart card driver.Oracle Linux 9 Security Technical Implementation Guide V-228647CAT IIThe Palo Alto Networks security platform must implement replay-resistant authentication mechanisms for network access to privileged accounts.Palo Alto Networks NDM Security Technical Implementation Guide V-273808CAT IThe RUCKUS ICX device must use FIPS 140-2/140-3 approved algorithms for authentication to a cryptographic module.RUCKUS ICX NDM Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-258121CAT IIRHEL 9 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257542CAT IIOpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide V-257542CAT IIOpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275735CAT IUbuntu OS must implement NIST FIPS-validated cryptography.Riverbed NetIM OS Security Technical Implementation Guide V-256090CAT IThe Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.Riverbed NetProfiler Security Technical Implementation Guide V-254087CAT IInnoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.SPEC Innovations Innoslate 4.x Security Technical Implementation Guide V-261327CAT ISLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-216387CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 SPARC Security Technical Implementation Guide V-216150CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 X86 Security Technical Implementation Guide V-221607CAT IISplunk Enterprise must use HTTPS/SSL for access to the user interface.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251680CAT IISplunk Enterprise must use HTTPS/SSL for access to the user interface.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-279166CAT IIThe ALG providing user authentication intermediary services must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).Symantec Edge SWG ALG Security Technical Implementation Guide V-279251CAT IThe Edge SWG must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.Symantec Edge SWG NDM Security Technical Implementation Guide V-94697CAT IISymantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts.Symantec ProxySG NDM Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-254897CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253828CAT IIMultifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.x Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-234363CAT IThe UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.Unified Endpoint Management Server Security Requirements Guide V-234364CAT IIThe UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Unified Endpoint Management Server Security Requirements Guide V-265315CAT IThe NSX Manager must only enable TLS 1.2 or greater.VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-240459CAT IIThe SLES for vRealize must enforce SSHv2 for network access to privileged accounts.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239553CAT IIThe SLES for vRealize must enforce SSHv2 for network access to privileged accounts.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256402CAT IIIThe ESXi host must use Active Directory for local user authentication.VMware vSphere 7.0 ESXi Security Technical Implementation Guide V-256503CAT IIThe Photon operating system must use an OpenSSH server version that does not support protocol 1.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-256318CAT IThe vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-258737CAT IIIThe ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.VMware vSphere 8.0 ESXi Security Technical Implementation Guide V-265978CAT IIThe vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207392CAT IIThe VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts.Virtual Machine Manager Security Requirements Guide V-207393CAT IIThe VMM must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.Virtual Machine Manager Security Requirements Guide V-207211CAT IIThe TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.Virtual Private Network (VPN) Security Requirements Guide V-207212CAT IIThe IPsec VPN Gateway must use anti-replay mechanisms for security associations.Virtual Private Network (VPN) Security Requirements Guide V-73359CAT IIKerberos user logon restrictions must be enforced.Windows Server 2016 Security Technical Implementation Guide V-73359CAT IIKerberos user logon restrictions must be enforced.Windows Server 2016 Security Technical Implementation Guide V-73361CAT IIThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Windows Server 2016 Security Technical Implementation Guide V-73361CAT IIThe Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Windows Server 2016 Security Technical Implementation Guide V-73363CAT IIThe Kerberos user ticket lifetime must be limited to 10 hours or less.Windows Server 2016 Security Technical Implementation Guide V-73363CAT IIThe Kerberos user ticket lifetime must be limited to 10 hours or less.Windows Server 2016 Security Technical Implementation Guide V-73365CAT IIThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Windows Server 2016 Security Technical Implementation Guide V-73365CAT IIThe Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Windows Server 2016 Security Technical Implementation Guide V-73367CAT IIThe computer clock synchronization tolerance must be limited to 5 minutes or less.Windows Server 2016 Security Technical Implementation Guide V-73367CAT IIThe computer clock synchronization tolerance must be limited to 5 minutes or less.Windows Server 2016 Security Technical Implementation Guide V-93443CAT IIWindows Server 2019 Kerberos user logon restrictions must be enforced.Windows Server 2019 Security Technical Implementation Guide V-93445CAT IIWindows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.Windows Server 2019 Security Technical Implementation Guide V-93447CAT IIWindows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.Windows Server 2019 Security Technical Implementation Guide V-93449CAT IIWindows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.Windows Server 2019 Security Technical Implementation Guide V-93451CAT IIWindows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.Windows Server 2019 Security Technical Implementation Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide